Could cancelling a DNSSEC request cause me to be locked out

I made some changes to my Wordpress https://mikeschaffnerphotography.com set up (hosted on Bluehost with Cloudflare as CDN). It was working fine after the changes and then a little while after (1 - 2 hours later) I could no longer visit the site or login to my Wordpress dashboard. The error I get is “This site can’t be reachedCheck if there is a typo in mikeschaffnerphotography.com.
If spelling is correct, try running Windows Network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN”

Strangely I cannot access my site while on my network (Xfinity/Comcast) either on computer or mobile. However, when turning wifi on mobile off I can reach the site but not my wordpress loging https://mikeschaffnerphotography.com/wp-admin/ Perhaps this is because I’m not really seeing the “live” site but the cached site via CF’s “Always Online” option?

The changes I made are below starting with the one that seems most likely to be an issue.

  1. To improve security in Cloudflare I enabled DNSSEC. It gave me a number of setting that needed to be made on the Bluehost side before it would work. Looking at Bluehost I could not find anywhere to see or change settings for DNSSEC. I chatted with Bluehost support and they informed me that DNSSEC was already enabled on BH and gave me a link to a page that showed it enabled. The conclusion was that I would therefore not need to enable it on the CF side. The confirmed I could just cancel the request on CF which I did. No setting were explicitly changed. After cancelling the request all functioned normally until a while later when it stopped.
  2. Over the past few days I was testing using HSTS. Yesterday I increased the MAX-AGE from 2 months to 1 year. Again, all functioned normally until a while later when it stopped. I don’t see how HSTS would cause this and in particular a MAX-AGE change shouldn’t.
  3. In trying to establish a Content Security Policy I established one in “report only” mode. Again, all functioned normally until a while later when it stopped. I have since commented this out in htaccess so it is no longer active. However, this had no effect on being able to access my site not that I really expected it would.

Any suggestions on what could be causing this?
Thanks for your help.
Mike

DNSSEC may be enabled at BH, but it’s not pointing at Cloudflare. Both ends of DNSSEC need to match, and yours does not. You’d have to disable DNSSEC at BH, or update it to use the DS record information that Cloudflare provides for that domain.

3 Likes

It’s interesting that it’s always been on at BH and never on at CF until I tried it yesterday. So it seems like that would be a mismatch but wasn’t causing a problem.

Based on your suggestions I disabled it at BH and then re-enabled it at BH without any changes or doing anything at CF. It now appears to be working. But I want to do more extended testing to make sure it “sticks”. At this point it is enabled at BH but not at CF. Does that mean it is really not doing anything until I enable it at CF and match the settings?

Thanks so much for your help. You’re a lifesaver.
Mike

2 Likes

Based on your DNSviz report, an analysis on https://dnssec-analyzer.verisignlabs.com/ and Test if DNSSEC is enabled on your domain all indicated that although DNSSEC was re-enabled on BH and the site was again accessible it really wasn’t on DNSSEC. Once I enabled on BH and then enabled on CF and added DS records from CF on BH all 3 test sites show it on DNSSEC and the site is accessible.

Thanks again for the help. I thought I had killed my site and you brought it (and me) back from the brink of doom.

Mike

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.