Hi there! It seems, I facing issue similar to this:
TL;DR: I wanted to enable DNSSEC on my site, so I pressed “enable DNSSEC” button.
Then I found that TLD of my domain (.im) does not support DNSSEC, so I disabled DNSSEC by pressing “Cancel DNSSEC” button on CF.
But DNSKEY records are still on CF’s NSes after a 20+ hours.
This leads to resolving failures of my domain on, for example, systemd-resolved (systemd’s stub resolver): it sees DNSKEY on the domain and assumes it is DNSSEC-powered, but then it can’t find any other DNSSEC things and throws a failure.
Isn’t it any way to force CF to remove DNSKEY records?
P.S. systemd’s relevant issue ended with conclusion “it behaves correctly”: https://github.com/systemd/systemd/issues/9840