Issues with DNSSEC has shutdown my website - again

Yes I was hitting enable after adding the values

No need.

From my understanding, it would create and generate “own” DS records (Alg13) - 3 of them and add them + you eneterd one more (fourth) from Cloudflare and you end up in a loop.

You do not want this, as Bluehost nameservers aren’t used for your domain name - you are using Cloudflare nameservers.

That’s because your hosting offers DNSSEC - as same as cPanel or ISPConfig offers this option too.

I only add the DS record given from Cloudflare (when I click Enable DNSSEC button at Cloudflare) at my domain registrar and done.

Therfore, wait for few hours or verify it later next day using online tool:

1 Like

I’ll try it

1 Like

I’ve added the information but did not hit enable and now it shows

Great! Well done for Bluehost interface.

Now we wait to see when Cloudflare recognizes this one for your domain name and we can verify it :slight_smile:

Just to confirm, at Cloudflare dashboard, under DNSSEC, you see “Pending” for it and notice it may take up to 10 minutes or longer, right?

Wow and now CF shows it active as does verisign - very misleading form from BH

1 Like

Yes, true.
Active and enabled as it should be.

Good job, well done! :slight_smile:

I can confirm it now using online tool as follows at the below screenshot:

1 Like

On BH with I refresh but not enable it shows

I would not worry for it now - wait for 24 hours if so, but DNSSEC option shouldn’t be enabled at BH interface.

If you want BH to use DNSSEC for your domain name, you would have to change your domain nameservers back to Bluehost - that’s not what we want if we want to use Cloudflare, right?

The DNSSEC should be enabled only at Cloudflare as far as Cloudflare signes your records, not the BH from now on.

Maybe some warning, but … who knows why exact :smiley:

1 Like

Thank you very much. I’ll leave it as it is and see how it does. As I say it seems that BH has a very misleading approach. Based on past situation I should know in 2 to 5 hours if it works okay. I’ll keep you posted.

1 Like

Ummm…they should know those are both the same thing.

And now I’m reading the rest of the thread.

Yay for getting something to work.

Funny thing about some people’s DNS. For example, at Cloudflare, most domains won’t show CAA records (for restricting who can issue SSL/TLS certs). But if you add one CAA record, Cloudflare piles in a few others that you’ll need here. It won’t show up in your DNS screen.

It’s possible BH is doing the same for DS records.


Correct - I don’t want to put nameservers back to Bluehost as I want to use Cloudflare as my CDN


I agree - if all ok in 5 hours or so that’s encouraging but not definitive. I’ll wait a full 24 hours before declaring victory

2 Likes

I would wait the whole day too and give it some more time, to be sure :slight_smile:

1 Like

I just rechecked the DNSSEC status and got 2 warnings. Both read: “om/DS (alg 8, id 30909): The server appears to support DNS cookies but did not return a COOKIE option. (192.5.5.241, UDP_-_EDNS0_4096_D_KN)” Is this an issue? Screen shot of the DNSSEC authentication chain below?

From this one, this is above, it’s not related to your domain.
Rather, it could be even the servers from the tool checking for the DNSSEC chain.
By the IP it’s f.root-servers.net.
Maybe some old cached something, or something might not be working good at them in the moment of checking, or some other.
Not sure exactly now.

But, not related to your domain as I see its fine and signed - below chains.
The warning is at the upper root servers responsible for holding a .com TLD.
And Alg8 - NSEC used at them - while Cloudflare uses Alg13, so not even related to Cloudflare I think.

We could try to use dig command for the DS and the DNSKEY records for your domain using other servers via bash terminal, or some other online tool:

1 Like

That’s good news, thanks again.

It has now been 24+ hours and everything continues to look good! DNSSEC shows as enabled and the site is up and accessible. Even the warnings that showed up on dnsvis.net have gone away. I’m going to wait until the 48 hour mark to declare full victory and mark it as solved but things look very good.

Based upon what we did I think I now understand (albeit at a rudimentary level) the logic of the setup.

DNSSEC designed to secure the DNS info naturally has to be set up the Name Servers which in my case were on Cloudflare. By enabling both Bluehost and Cloudflare I was trying to do it to two different sets of Name Servers of which one set (on Bluehost) didn’t really exist. Sounds like a real good scenario for conflict that could kill the whole operation.

In addition since the way I was originally doing it with enabling DNSSEC in Bluehost I was adding a DS record that said Cloudflare was the authoritive source to DS records that said Bluehost was the authoritative source. Again, a good source of conflict.

What fooled me was seeing an “Enable” option on both Bluehost and Cloudflare and it led me to think that they both needed to be enabled to work together. Once that perception was planted it took awhile to consider the correct logic. In reality I needed to choose and only select one. Specifically, only enabling where the Name Servers were.

My ignorance is no excuse and the issues were my fault. However, I do have to say both Bluehost and Cloudflare could have explained it better. A couple of extra sentences is all that it would have taken. One company being the host and another being the CDN is certainly not unusual and they should explain how to handle that common situation. I also know that Bluehost “knows” Cloudflare has the Name Servers as it is shown in their records which means when I chatted with Bluehost support they should have been aware of this and how to set up DNSSEC in that scenario.

Does this make any sense?

Again, thanks for the help. Hopefully I’ll be back in another 24 hours with the good news.

1 Like

I’m ecstatic to report that we’ve reached the 48 hour mark and the site is up and DNSSEC is enabled. What a relief. I’m hereby declaring victory and will mark this issue as “SOLVED”!

Thanks to @sdayman @AppleSlayer @fritex for your help, your understanding, your willingness to help and most importantly, your patience. I truly appreciate it.

3 Likes

It’s a Festivus Miracle!

3 Likes

LOL - I needed one!

1 Like