[DNSSEC] CF does not delete DNSKEY record after disabling DNSSEC

Hi there! It seems, I facing issue similar to this:

TL;DR: I wanted to enable DNSSEC on my site, so I pressed “enable DNSSEC” button.
Then I found that TLD of my domain (.im) does not support DNSSEC, so I disabled DNSSEC by pressing “Cancel DNSSEC” button on CF.
But DNSKEY records are still on CF’s NSes after a 20+ hours.

This leads to resolving failures of my domain on, for example, systemd-resolved (systemd’s stub resolver): it sees DNSKEY on the domain and assumes it is DNSSEC-powered, but then it can’t find any other DNSSEC things and throws a failure.

Isn’t it any way to force CF to remove DNSKEY records?

P.S. systemd’s relevant issue ended with conclusion “it behaves correctly”: DNSSEC validation should not fail for TLDs without DS records · Issue #9840 · systemd/systemd · GitHub

Sorry for the trouble, @user5751, if you’re still having issues with this, can you contact Support and ask them to assist with removing these records?

To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. Please give Support the complete details and link to your Community post and share the ticket number here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

FWIW this is a known issue. In the meantime, please use API to delete the DNSKEY: Cloudflare API v4 Documentation