Issues with DNSSEC has shutdown my website - again

Verisign says there are four DS records: three that aren’t Cloudflare, and one that is. My sites have only one. The Cloudflare one.

I’m no DNSSEC expert, but if there are conflicting DS records, it wouldn’t surprise me if this would cause some problems.

There’s nothing else we can assist with at this end. It’s purely a Bluehost issue they need to figure out.

1 Like

On chat with BH now.

I can add/delete new DS records but can’t delete/change the original 3 of BH

I’m asking them about SSL/TLS setting - I was on Full (strict) to confirm this was right
They had me switch to flexible but so far no effect

That has nothing to do with DNS and is a terrible idea for them to suggest. It opens a security hole for your site.

That’s no good, and I don’t know why they’d force that. Again, I’m no DNSSEC expert, but I can’t imagine that’s without issues.

Maybe another @MVP knows DNS and DNSSEC well enough and can say if multiple DS records are problematic.

2 Likes

As mentioned by @sdayman it leaves a security hole open for your site! It’s basically like digging a big hole in the ground, then not covering it! Sooner or later, you’ll fall through the hole! The same thing applies for your website, the flexible option is basicly the “hole” in the ground! If that’s too confusing, here’s a document below explaining on why you should choose Full (Strict), and only Full (Strict)

1 Like

But you have had or not, an DS and DNSKEY recrod at the DNS tab of Cloudflare dashboard? - I doubt you had it added (given from Bluehost).

Usually, the process is to enable DNSSEC at Cloudflare and provide all the needed information to your domain registrar.

I remember for one.eu TLD domain which have had bit “misconfigured” KSK <-> ZSK, but worked fine for few months.
Later on, DNSSEC got broken and I just had to disable it at Cloudflare dashboard.
The TLD registrar was a bit strange, due not accepting Algorithm 13 so they somehow managed to found a temporary workaround.

Does BlueHost interface have got some DNS management, or rather some DNSSEC option “enable/disable”?

Maybe you are trying to enable DNSSEC on a hosting interface, rather than the domain interface?
Which would mean, you might get DNSSEC enabled for hosting and somehow in between you are given the DS records which become active? and would somehow appear on your domain interface? - as the BlueHost is your web hosting provider and also your domain name registrar, correct?
In that case, you might want to add those records to the DNS tab of Cloudflare.

Again, I doubt this would work. And I would not advise you to do it that way.

I am sorry to hear this suggestion, but that’s really not a way to go with the SSL:

Currently I see:
No DS records found for mikeschaffnerphotography.com in the com zone

Which brings me tu guess scenarios:

  1. DNSSEC disabled at Cloudflare dashboard, but no DS record at domain interface of BlueHost
  2. DNSSEC enabled at Cloudflare dashboard, but no DS record at domain interface of Bluehost
  3. DNSSEC enabled at Cloudflare dashboard, DS record added, but not yet propagated

UPDATE: Isn’t your domain name registrar fastdomain.com rather than Bluehost?

Kindly, may I suggest looking into the similar topic from below, as the OP had issues with DNSSEC at BlueHost and help from their “support” was doing a bit wrong steps for their customer:

A post was merged into an existing topic: Page cache

Sorry for not responding sooner - I had to step out for a little while.

Before I left I did the following

  • reset SSL/TLS to Full (strict) “flexible” didn’t seem right and I appreciate everyone’s confirmation that Full(strict) is the one I need.
  • they wanted me to change the A record with the domain name to @ instead of the domain name. I tried that on CF and it would not accept it, so it remains with the domain name in the A record
  • I disabled DNSSEC on BH and CF
  • after all of that the site is back up and accessible but without DNSSEC

@fritex on the BlueHost site they show themselves as registrar. WHOIS indicates FastDomain Inc. is the registrar. All my dealings have been with only Bluehost including domain renewal. I don’t have access or an account with Fast Domain and they want money to establish one. It appears that everything has to be done through Bluehost

BH does have DNSSEC option to enable/disable which is what I’ve been using. There are only 3 options. Here is a screen shot

I leave the first 2 options DNSKEY and NSEC as shown and add a DS record using the information from CF.

It is interesting to not that the form shows " *No current DS records" However, when I enter the info from CF and enable there are 4 DS records. I only have the ability to add a new one or delete the one I created with the CF info - I can’t do anything with the other 3.

The issue @fritex referenced is exactly what I’m experiencing (I’m also on Comcast). However, I did test it when DNSSEC was enabled at my daughter’s house with different computer and internet provider and the site was down.

Is it correct I should only have 1 DS record and not 4?

Okay, thank you for feedback information.

Yes.

From the screenshot above, from what I do understand and as far as I see:

  1. I would you not click the button enable under the “DNSSEC Status” section, as I believe it would generate it’s own DS records (as it states) from hosting and add them to your domain on BlueHost, despite the Cloudflare - here is the trick I think.

  2. DS Records section is empty - okay, for now.

  3. Under Add Custom DS Records section:
    You only make sure Add Custom DS Records - here you enter the values from Cloudflare dashboard - > at Cloudflare dashboard you click “Enable DNSSEC” and wait for few secs, then you got Key Tag, Algorithm, Digest Type and Digest which you enter in the fields from above screenshots and verify the DS Record is having that one (from Cloudflare).

@fritex Yes that is what I’ve been doing. Once I get the Key Tag, Algorithm, Digest Type and Digest info from Cloudflare I enter it in the boxes shown in the screenshot then hit enable. Shortly after CF says DNSSEC is enabled as do verification sites such as Verisign. At that point everything works fine for a while but after a few hours my site is not reachable. If at that point I disable DNSSEC at both BH and CF the site becomes accessible again (but without DNSSEC)

At Bluehost interface? - do not.

Only “Add” after you enter the values, so they become present and shown later at the Bluehost interface under “DS records”.
Cloudflare then can verify if they exist and they should be okay.

Yes I was hitting enable after adding the values

No need.

From my understanding, it would create and generate “own” DS records (Alg13) - 3 of them and add them + you eneterd one more (fourth) from Cloudflare and you end up in a loop.

You do not want this, as Bluehost nameservers aren’t used for your domain name - you are using Cloudflare nameservers.

That’s because your hosting offers DNSSEC - as same as cPanel or ISPConfig offers this option too.

I only add the DS record given from Cloudflare (when I click Enable DNSSEC button at Cloudflare) at my domain registrar and done.

Therfore, wait for few hours or verify it later next day using online tool:

1 Like

I’ll try it

1 Like

I’ve added the information but did not hit enable and now it shows

Great! Well done for Bluehost interface.

Now we wait to see when Cloudflare recognizes this one for your domain name and we can verify it :slight_smile:

Just to confirm, at Cloudflare dashboard, under DNSSEC, you see “Pending” for it and notice it may take up to 10 minutes or longer, right?

Wow and now CF shows it active as does verisign - very misleading form from BH

1 Like

Yes, true.
Active and enabled as it should be.

Good job, well done! :slight_smile:

I can confirm it now using online tool as follows at the below screenshot:

1 Like

On BH with I refresh but not enable it shows

I would not worry for it now - wait for 24 hours if so, but DNSSEC option shouldn’t be enabled at BH interface.

If you want BH to use DNSSEC for your domain name, you would have to change your domain nameservers back to Bluehost - that’s not what we want if we want to use Cloudflare, right?

The DNSSEC should be enabled only at Cloudflare as far as Cloudflare signes your records, not the BH from now on.

Maybe some warning, but … who knows why exact :smiley:

1 Like