Bugs DNSSec. Some users can not access the site. DNSsec disabled, but DNSsec record not deleted!

I mistakenly clicked on enable DNSsec.My registrar does not support DNSsec. I clicked to disable DNSsec.

I cannot disable DNSsec, because after disabling the records, DNSsec record is not deleted(DNSKEY and etc). Some users can not access the site. I deleted the domain from my account, then I added the domain again, but DNSsec records were not deleted.

Please Make the removal of DNSSec record when you click to disable DNSSec!

Enabling DNSSEC on Cloudflare does not, by itself, have much effect.

Until DS records are added at the TLD – by adding them at your registrar, or sometimes automatically after a few days – resolvers won’t try to validate your domain.

Even if they did, it would be valid.

Removing DNSSEC records instantly would likely cause problems more often than it solves them, since people disabling DNSSEC might click the button while some resolvers have their old DS record cached.

What’s your domain? What exactly is going wrong?

If people can’t access your domain because of some DNSSEC records on Cloudflare, their resolvers are super broken and there are, like, millions of domains they can’t access.

That’s completely unreasonable and standards-violating behavior for a resolver. If it’s a bug, it’s serious and needs to be fixed. If instead the resolvers are intentionally preventing themselves from resolving millions of compliant domains (to be fair, most of them are probably parked) by violating basic tenets of the standards they’re claiming to implement, I’m not sure authoritative DNS operators should change or complicate their own systems to try to stop them.

It’s possible something else is going on, and someone misunderstood what the issue is, and there really is a bug with Cloudflare or the TLD – or just something unfortunate cached if you recently did have DS records – but if this is really what’s happening, the resolvers are doing something very bad.

Can they resolve other domains with the same configuration, like https://Cloudflarestream.com/ or https://www.quad9.net/?

Betraying my own argument, I’d like it if Cloudflare had more granular DNSSEC controls, but that doesn’t mean it’s a good investment of engineering resources, or risk of confusion for users.

I don’t want to believe that there are a substantial number of resolvers that broken. :anguished:

This topic was automatically closed after 14 days. New replies are no longer allowed.