How to Delete Extra DS Records on Bluehost to Enable DNSSEC without Comcast Error


After enabling DNSSEC on my registrar (Bluehost) and then on Cloudflare, my website is not reachable over the Comcast network . (Chrome browser shows “DNS_PROBE_FINISHED_NXDOMAIN").

I confirmed this both by connecting to my own Comcast network at home and to the Comcast internet at my friend’s house. In both cases, the website is NOT reachable over any devices. When I switch to using data on my phone or using the internet at my work, then the website IS reachable on all devices.

I learned from another post that the problem is most likely that I have four DS records on Bluehost when I should have only one. The recommendation was that I remove the additional and invalid DS records from my registrar to fix the problem.

Unfortunately, the first 3 DS records are auto populated by Bluehost and have no obvious way to remove or delete them. I am only able to remove the DS record that I added for Cloudflare, which I would like to keep.

I contacted Bluehost and talked to them over the phone, but they could not find any way on their end to remove the extra records. They were not able to give me any further assistance.

I have since disabled DNSSEC so that my website will work until I can solve this problem, but I would like to be able to use it if possible.

Does anyone know how to fix this issue?

Thank you.

I am afraid that’s really a question for your host rather than here. Respectively actually for your registrar, but I assume that’s the same.

My guess would be because DNSSEC is enabled and they will provide their own records in that case, but that’s just a guess. You really need to ask them, that’s not Cloudflare related.

1 Like

Currently you don’t have any DS records set up, so you should be good by just adding the Cloudflare specific record.

Hi Sandro,

Yes, that’s why I called them first, but they weren’t able to help me and directed me back to Cloudflare. Seems I’m in an endless loop…

Thanks anyway!

Also, when I go to add the Cloudflare DS record to enable DNSSEC it auto populates the Bluehost records, so it doesn’t make any difference that there aren’t any DS records atm.

I suggest that you click that “Disable” button to remove DNSSEC from your registrar. That will null out any effects of DNSSEC.

1 Like

I already disabled DNSSEC. Unfortunately, there is no way to use it on Cloudflare without enabling it on Bluehost. In order to use DNSSEC in the future, I need to know how to delete the extra DS records.

Correct. It does need to be set at both ends. But if the Bluehost end is broken, there’s nothing Cloudflare can do to fix that.

I am afraid that was bad advice as Cloudflare can’t do anything. All they can do is provide the right values, which they already did. Setting them is something you need to do on your registrar’s side.

Maybe transfer the domain to another registrar.

1 Like

I understand that Cloudflare can’t fix this problem, since it really has to do with Bluehost. I was just hoping someone on the forum might be using both Cloudflare and Bluehost and have figured out this problem in the past. :woman_shrugging:

Hi Kristel,

This is awful. I was in a similar situation. It’s really hard to make the support people understand the problem we’re trying to solve. I used to have a tech support literally told me the UI isn’t working, use the API to delete a server(I was trying to delete a server in my case).

My lesson is that even you can figured out this situation, other things will happen down the line. So seriously consider transfer the domain to namecheap for example. Namecheap has great support for DNSSEC.

Thanks for the sympathy, Hanami! It is a frustrating situation. I’ve already prepaid my host for a while so I may be stuck until I can switch hosts. Live and learn!

Whenever you transfer a domain to a new registrar you have to pay for one years extension on the existing registration. You do not lose any time. (Provided the total remaining time is no longer than 10 years).

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.