Site down after cloudflare DNSSEC

My site ettgottliv.com is down and the support at hostinger is not very helpfull. adviced to set to flexible and removen htaccess…

I dont understand the problem, A and NS records are fully propagated but not AAAA

DNSEC is enabled and ok on cloudflare
dnssec-analyzer is ok

DNSVIZ gives errors https://dnsviz.net/d/ettgottliv.com/dnssec/

It worked for about 24 hours after it was enabled but stopped working this morning.

Any ideas or more info I can give to hostinger support please?

Bad advice. That should be Full strict and you need a certificate on your server. If you don’t have that talk to your host or change your host.

Your DNSSEC configuration looks a bit off, however should be generally working. The issue you have is a redirection loop which is most likely because of your host’s bad advice to disable SSL. Switch to “Full strict” again and check if it works and make sure you have a certificate on your server.

Site has certificate set, set to full strict now which gives 521 error

Then I suggest you start with Community Tip - Fixing Error 521: Web server is down.

Assuming your server IP address ends in 24, it does seem as if there is a certificate. So keep it on “Full strict”.

The reason for the 521 will be most likely that your host is blocking Cloudflare’s connections. They need to whitelist them on their server and fix that. Nothing Cloudflare can do here, I am afraid.

yea, allowed all IP:s but didnt do anything.
kind of pissed off over this answer
" If flexible setting gives you redirect error you might as well try disabling your .htaccess as it can have redirects as well!
Usually 52x errors are caused when Full encryption is being used on Cloudflare side. If for example you would be using Cloudflare from our side you would be able to use Full setting without any issues in this case!
I’m truly sorry if its causing any inconveniences for you !" Just trying to sell me stuff that is free…

I wrote back:
" yea well it works perfectly on my other sites.

cloudflare is running good.

the reason for the redirect error is probably from the bad advice to remove encryption.

as cloudflare comunity support says:

"

Assuming your server IP address ends in 24, it does seem as if there is a certificate. So keep it on “Full strict”.

The reason for the 521 will be most likely that your host is blocking Cloudflare’s connections. They need to whitelist them on their server and fix that. Nothing Cloudflare can do here, I am afraid."

All redirics are gone from htaccess and i have whitelisted all IPs from cloudflare but it is not working.

If you cant resolve the issue the next step would be to remove the DS record and get everything working properly without DNSSEC."

That does not seem to be a DNSSEC issue but simply that your webserver does not accept connections from Cloudflare on port 443. Your host needs to check that.

.htaccess is completely unrelated to that as well.

Reply from hostinger:
" I truly understand your concern!
I must mention that Full encryption will only work properly if you are using Cloudflare from our side, otherwise Flexible setting is recommended. I have added one extra Cloudflare certificate for you so you will be able to set up Cloudflare from our side! :slight_smile:
I have also added your IP address along with your domain name to my hosts file as guided [HERE] and website is working flawlessly:

Which indicates that hosting server is running just fine and initial issue lies on Cloudflare.com side.

I can proceed to remove DNSSEC record and you will be able to point your domain to our nameservers and set up Cloudflare from our side as well! :slight_smile:

How does that sound? "

Which they ofcourse charge for, however I have set up three other sites the same way, issues at first but they all worked in the end.

Their response is simply wrong. If they did not block Cloudflare the connection would simply go through.

The issue here is Cloudflare cannot connect to them because they seemingly block it. As I said earlier this is something only your host can fix.

If your host does not want to assist I’d strongly recommend to switch to a more competent host.

Well it seems they really wanted it fixed so they gave me their cloudflare module upgrade for free, just have to start over with the setup :slight_smile:

As long as Flexible is not involved the site should be secure.

Well of course it didnt work, well everything except DNSSEC works.
But hostinger need DS records from cloudflare and with the setup from hostinger the DNS page only shows that hostinger manage it. Hostingers reply was basicly that they cant do it. Is it not so that they are required by ICANN to fix this?

Just provide them with the values from the Cloudflare dashboard.

the only thing on the DNS page is this:

Partner hosted zone

Your DNS zone file is hosted by Hostinger , a Cloudflare partner. Manage your DNS records at their website.

In that case the domain is with them in the first place. That’s something only for them to fix.

yea, im giving up now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.