DNS resolution issue with new Nameservers

I recently moved my site https://phoenixhq.space from one cloudflare account to another, both were never on a paid tier.

After the transfer, my DNS is not working.
initially with hugh and mckenzie ns, my cnames weren’t resolving, so I deleted the site from this new account and added the site again with all the same records(import and export) and
now neither A records nor CNAME records are resolving.

My CNAME setting shows only one option, flatten cname at apex and
I’ve tried setting the ssl to full, full(strict) and none,
changing the automatic HTTPS rewrites and
toggling always use https but to no avail.

It’s been over 48, close to 72 hrs, moving the DNS around (same records) and
I’d appreciate any help regarding why my site just shows NXDOMAIN in browser and SERVFAIL in nslookup both for http and https
I’ve tried using multiple dns resolvers like google and cloudflare dns from nslookup as well.

These issues didn’t happen with Ivan and Joan ns, and don’t happen with other cloudflare sites I maintain with ivan and joan as ns right now.

DNSSEC was enabled in previous zone. You should change the nameservers back, delete the DNSSEC entries at the registrar and then when that cache has cleared move to the new nameservers


Thanks @cscharff,
Initially ns were at ivan and joan (this could have dnssec enabled as you pointed out)
then moved to hugh and mckenzie (this surely didn’t have dnssec enabled)
currently at lara and theo (all cloudflare ns)

How do I move back to ivan and joan as cloudflare automatically issues these at the time of site addition?

This is the current dnssec resolution analysis, I don’t understand dnssec well, so really appreciate your help.

If you don’t have access to where the current zone is in Cloudflare with the old nameservers then you can’t execute that step and will need to remove the DNSSEC at the registrar and just wait it out.


Thanks a lot, dnssec never popped in my mind.
I’ve deleted the dnssec entries from my registrar and am requesting their support to flush the cache.
Will update once it’s resolved.

1 Like

This is now resolved.
I should have turned off dnssec before switching zones (don’t forget this if you’re switching nameservers within cloudflare or moving to another cloudflare account or changing DNS providers), would have saved a lot of pain.

If you however do forget and end up here, follow these steps:

  1. Delete the DNSSEC entries from your registar, where you’ve added the CF nameservers.
  2. Reach out to their support to explore options, Spaceship raised a ticket and updated my records in mins.
  3. Reenable dnssec, for some reason, only after I did this in the new CF zone and updated records with spaceship my resolutions started working normally, could be user specific though.
  4. If your Universal SSL is still pending, turn of auto https rewrites and always use https, pause cloudflare for the site. (move to full-strict and reenable cloudflare protection after your universal cert is active) this also could be a user-specific tip, helped me, ymmv.

Thanks to CF community for the prompt help.


Yeah my minor revision to feedback based on experience is …

If possible disable DNSSEC 48 hours before the planned nameserver move. The DNSSEC entries are likely still cached by some recursive resolvers (registrar can’t force a purge on upstream resolvers for better or worse).

Use the 48 hours to tripple check all of the DNS entries needed exist in the new zone and have the right proxy status.

If you really, really, really need SSL to be available as soon as the NS changes take effect, a business or ent plan with a certificate uploaded by you in advance is the only way to avoid the delay in SSL issuance). Otherwise turning off/on universal SSL 1-2 mins after udating the nameservers at the registrar and forcing a recheck of zone status is probably not a horrible idea.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.