Zone stuck in Pending Nameserver Update
If your nameservers are correctly set to Cloudflare but your zone remains in Pending Nameserver Update status, stale DNSSEC DS records at your registrar are the most common cause.
DS records belong to your registrar (where the domain is registered), not to Cloudflare. When you change DNS providers, DS records from the previous provider often remain at the registrar and cause Cloudflare's zone verification to fail.
To check for stale DS records:
dig DS yourdomain.comIf DS records are returned and you did not configure Cloudflare DNSSEC, these are stale records from your previous provider.
To remove stale DS records:
- Log in to your domain registrar's control panel.
- Find DNSSEC settings (may be under Advanced DNS or Security).
- Remove all existing DS records.
- Wait up to 24 hours for the DS removal to propagate.
After the stale DS records are removed and expire from cache, your Cloudflare zone will activate automatically. You can then turn on DNSSEC in the Cloudflare dashboard if needed.
For more information on DNSSEC configuration, refer to Configure DNSSEC and Troubleshoot DNSSEC.