DNSSEC issue with forum

There is apparently an issue with how the forum’s DNS entry is signed, which is preventing it from being available at my university.

See discourse.urho3d.io | DNSViz for a description.

Thanks for reporting that. Unfortunately, I am not able to find anything wrong with the existing setup that I inherited from hd_, who started this forum initially. Looking at the result from another tool here, it appears the domain “urho3d.io” works fine. The error seems to happen in CNAME record which links the “discourse.urho3d.io” to the hosted Discourse site (urho3d.hosted-by-discourse.com), which we actually got it for free. I won’t pretend I actually know what the error is all about, but most likely it is not something I can fix from my end.

Could you test whether you can access other “hosted” discourse forums from your university?

It looks like the python forum works fine. You can see the same report here that doesn’t show the error messages:
https://dnsviz.net/d/discuss.python.org/dnssec/

Here’s a group that had similar issues that seem to have been solved
https://groups.google.com/g/public-dns-discuss/c/HxKWcF3vm9o

and the Discourse instructions, in case they changed at some point

The link you have provided for setting up the hosted Discourse forum is the one we use. I don’t see any discrepancies in our existing setup, like I said before. I may need to talk to our name registrar for additional support to get into the bottom of this. There is really not much in the settings to play around with on our side.

Our name registrar has checked the setup and confirmed that there is nothing wrong in our configuration (and on their side as well) in respect to DNSSEC. It is the hosted Discourse forum (that we got for free from Discourse) that does not support DNSSEC. I will have to loop in the support from Discourse to investigate further.

In the meantime, you may want to try to request your network admin to try to the clear DNS cache in case that is the problem why you cannot reach the forum from your university, while the rest of us can, despite the issue with DNSSEC.

You may ask your forum user to clear cache of his browser or use another one. You can follow this guide to clear cache: https://www.namecheap.com/support/knowledgebase/article.aspx/9209/2194/how-to-clear-cache-in-different-browsers-windows .

Also, he can clear his DNS cache as it is described in this guide: https://www.namecheap.com/support/knowledgebase/article.aspx/397/2194/how-to-clear-local-dns-cache .

Just a brief update. I have contacted Discourse staff to get their support. The discussion is still on going in the PM. The temporary summary is, there is something wrong with the setup that causing the DNSSEC error, but there is still no conclusion who is at fault (me maintaining that one single CNAME record[?], the name registrar, or the hosted Discourse forum). The only thing that both the namecheap guy and Discourse guys agree (on separate discussion with me) is, the DNSSEC error should not cause issue to the forum users to access the forum.

Per the IT staff,

The domain now appears to be working, although the DNSSEC setup is still not completely correct.

I’m traveling at present, so I can’t confirm. If you made any changes, though, they seem to have worked.

I am glad to hear that. I did not specifically alter our DNS records to solve the DNSSEC error though, but the DNS records have been altered to make way for migrating gh-pages to our apex domain.

I have closed the DNSSEC error investigation on both the namecheap and Discourse. The conclusion I got so far is, it is the CNAME target itself does not have DNSSEC enabled, i.e. if you point the url to “urho3d.github.io” directly or point to “urho3d.hosted-by-discourse.com” on the analyze tool then you will see it ends up with DNSSEC errors too.