Okay, it has now been 7.5 hours since following Bluehost’s support instruction that brought the site back up and DNSSEC was re-tried and the site is down again.
CF and all 3 verification sites show DNSSEC as still up and working. However, the site is down.
To recap from last night
The starting point:
- Site was down
- DNSSEC was disabled on CF
- DNSSEC was enabled on BH but the custom DS record from CF was deleted
(Note: the DNSSEC setting mismatched as they are were what I had for nearly a year with the site running ok).
Instructions for BH
- Switch the DNSSEC on BH to disabled
- Site came up
- went through the process again
- enabled on CF
- enabled and entered custom DS record on BH
- site was up
- verification sites confirmed DNSSEC is enabled
7.5 hours later
- site is down
- verification sites confirmed DNSSEC is still enabled
As mentioned by @sdayman it leaves a security hole open for your site! It’s basically like digging a big hole in the ground, then not covering it! Sooner or later, you’ll fall through the hole! The same thing applies for your website, the flexible option is basicly the “hole” in the ground! If that’s too confusing, here’s a document below explaining on why you should choose Full (Strict), and only Full (Strict)
But you have had or not, an DS and DNSKEY recrod at the DNS tab of Cloudflare dashboard? - I doubt you had it added (given from Bluehost).
Usually, the process is to enable DNSSEC at Cloudflare and provide all the needed information to your domain registrar.
I remember for one.eu TLD domain which have had bit “misconfigured” KSK <-> ZSK, but worked fine for few months.
Later on, DNSSEC got broken and I just had to disable it at Cloudflare dashboard.
The TLD registrar was a bit strange, due not accepting Algorithm 13 so they somehow managed to found a temporary workaround.
Does BlueHost interface have got some DNS management, or rather some DNSSEC option “enable/disable”?
Maybe you are trying to enable DNSSEC on a hosting interface, rather than the domain interface?
Which would mean, you might get DNSSEC enabled for hosting and somehow in between you are given the DS records which become active? and would somehow appear on your domain interface? - as the BlueHost is your web hosting provider and also your domain name registrar, correct?
In that case, you might want to add those records to the DNS tab of Cloudflare.
Again, I doubt this would work. And I would not advise you to do it that way.
I am sorry to hear this suggestion, but that’s really not a way to go with the SSL:
Currently I see: No DS records found for mikeschaffnerphotography.com in the com zone
Which brings me tu guess scenarios:
DNSSEC disabled at Cloudflare dashboard, but no DS record at domain interface of BlueHost
DNSSEC enabled at Cloudflare dashboard, but no DS record at domain interface of Bluehost
DNSSEC enabled at Cloudflare dashboard, DS record added, but not yet propagated
UPDATE: Isn’t your domain name registrar fastdomain.com rather than Bluehost?
Kindly, may I suggest looking into the similar topic from below, as the OP had issues with DNSSEC at BlueHost and help from their “support” was doing a bit wrong steps for their customer:
Sorry for not responding sooner - I had to step out for a little while.
Before I left I did the following
reset SSL/TLS to Full (strict) “flexible” didn’t seem right and I appreciate everyone’s confirmation that Full(strict) is the one I need.
they wanted me to change the A record with the domain name to @ instead of the domain name. I tried that on CF and it would not accept it, so it remains with the domain name in the A record
I disabled DNSSEC on BH and CF
after all of that the site is back up and accessible but without DNSSEC
@fritex on the BlueHost site they show themselves as registrar. WHOIS indicates FastDomain Inc. is the registrar. All my dealings have been with only Bluehost including domain renewal. I don’t have access or an account with Fast Domain and they want money to establish one. It appears that everything has to be done through Bluehost
BH does have DNSSEC option to enable/disable which is what I’ve been using. There are only 3 options. Here is a screen shot
I leave the first 2 options DNSKEY and NSEC as shown and add a DS record using the information from CF.
It is interesting to not that the form shows " *No current DS records" However, when I enter the info from CF and enable there are 4 DS records. I only have the ability to add a new one or delete the one I created with the CF info - I can’t do anything with the other 3.
The issue @fritex referenced is exactly what I’m experiencing (I’m also on Comcast). However, I did test it when DNSSEC was enabled at my daughter’s house with different computer and internet provider and the site was down.
Is it correct I should only have 1 DS record and not 4?
From the screenshot above, from what I do understand and as far as I see:
I would you not click the button enable under the “DNSSEC Status” section, as I believe it would generate it’s own DS records (as it states) from hosting and add them to your domain on BlueHost, despite the Cloudflare - here is the trick I think.
DS Records section is empty - okay, for now.
Under Add Custom DS Records section:
You only make sure Add Custom DS Records - here you enter the values from Cloudflare dashboard - > at Cloudflare dashboard you click “Enable DNSSEC” and wait for few secs, then you got Key Tag, Algorithm, Digest Type and Digest which you enter in the fields from above screenshots and verify the DS Record is having that one (from Cloudflare).
@fritex Yes that is what I’ve been doing. Once I get the Key Tag, Algorithm, Digest Type and Digest info from Cloudflare I enter it in the boxes shown in the screenshot then hit enable. Shortly after CF says DNSSEC is enabled as do verification sites such as Verisign. At that point everything works fine for a while but after a few hours my site is not reachable. If at that point I disable DNSSEC at both BH and CF the site becomes accessible again (but without DNSSEC)