This is a follow-up to an earlier post about issues with implementing DNSSEC that was discussed in this forum https://community.cloudflare.com/t/could-cancelling-a-dnssec-request-cause-me-to-be-locked-out/337807 Through that post SDAYMAN got me on the right track in implementing DNSSEC.
After doing a backup restore on my WordPress site ( https://mikeschaffnerphotography.comyesterday I got it operational again back to the initial status. Specifically, DNSSEC was shown as enabled on my hosting provider, Blue Host (BH) but not on Cloudflare (CF). The site was operational and accessible but truly not on DNSSEC as verified by 3 sources: https://dnssec-analyzer.verisignlabs.com/ , https://gf.dev/dnssec-test and https://dnsviz.net/ After reloading the cache by viewing the various pages all remained accessible overnight (12 plus hours).
As the site seemed stable, I re-tried enabling DNSSEC on CF. I hit the enable button on CF got the necessary information and updated the DS records and added them to the Blue Host settings.
A few moments later, CF indicated that DNSSEC was successfully enabled. I also verified on the 3 sites noted above. All showed as now having DNSSEC enabled.
For a period of about 2 hours after doing this the site remained up, stable and fully accessible. Sometime between 2 and 5 hours after enabling DNSSEC the site became completely inaccessible. This was both the site itself and the WordPress admin dashboard.
At this point, I disabled DNSSEC on CF and removed the DS record from the DS settings on BH. CF indicated that DNSSEC was not enabled as did the 3 verification sites.
After disabling DNSSEC I waited over 6.5 hours before taking action. My thoughts were this might be all caused by DNS propagation issues and I wanted to give sufficient time.
I did a restore from backup, cleared the cache on BH and CF. When clearing the cache on BH I saw a notice that said “Please redirect your DNS mikeschaffnerphotography.com A records are not pointing to Bluehost. To fix this, please log in to the DNS provider associated with this domain. Then redirect your A record to point to Bluehost IP: xxx.xxx.xxx.xx” However, the IP address matches the A record on CF.
Is DNS propagation the cause for the delayed effect?
What would cause BH to believe that A record on CF is pointing to them when it really is?
Other CF setting that may or may not come into play are:
- Full (strict) SSL/TLS
- Always us HTTPS
- HSTS enabled
- Minimum TLS 1.2
- Opportunistic encryption enabled
- TLS 1.3 enables
- Automatic HTTPS Rewrites enabled
At this point my site is still down and inaccessible. Any ideas on how to get it back and what I may have done incorrectly in establishing DNSSEC? Thanks for your help.