Site not reachable over Comcast network after enabling DNSSEC

Hello,
After enabling DNSSEC yesterday on my registrar (bluehost) and then on Cloudflare, my website is not reachable over the Comcast network. (browser shows “This site can’t be reached” ERR_NAME_NOT_RESOLVED")

I confirmed this both by connecting to my own comcast network at home, and to the public xfinitywifi network. In both cases, the website is NOT reachable over any devices.

When I switch to using cellular on my phone and to using Google Public DNS on multiple devices (even still using the Comcast internet connection), then the website IS reachable. So it appears to me something to do with Comcast DNS resolution.

Anybody run into this issue before and know how to fix it please?
Thank you.

You have four DS records at your registrar when you should have only one.

Remove the additional and invalid DS records from your registrar and that should fix it.

Talking to bluehost right now to try to remove the records. They say:
“I see the domain nameserver is pointing to the CloudFlare so to remove the DNSSEC records you will need to remove the records on their end.”
Is this correct? I am trying to manage the DS records here Web Hosting, Domain Names, E-commerce - Bluehost but there is no option to delete the three invalid records

You might also want to change host if this is what your host said

DS records are set at the registry by the registrar. Cloudflare can’t do anything here. Your DNSSEC setup will be broken as long as you can’t get rid of these invalid DS records.

Fastdomain is the registrar, you might want to contact them directly.

Really? so bluehost is not the actual registrar? What am I even doin using them

Any recommendation on who I should switch to for registrar? I had used Google domain before.

Yep, bluehost is saying “Yes, I do not have access to the DNSSEC records, I’m checking with our admins on it.”

I’m putting this out here in case future cloudflare bluehost users run into similar issue.

They a sort of subsidiary but the registrar is Fastdomain. If you registered with them it should be them to fix DNSSEC.

Yes, I registered with bluehost, correct.

What bluehost said: “I have checked and I see that our specialist need some time to remove the records, I’ll escalate the Case so that our specialist will be back to you via email once it is removed.”

So I guess I will wait…

In another situation, if you cannot access Fastdomain or do not remember credentials (worse situation), it is possible you paid hosting and domain to the BlueHost while they used Fastdomain to register your domain?

And as already stated by @sandro, first disable DNSSEC in the Cloudflare dashboard and also remove the DS record which is added to your domain via contacting your register.

Then check if your Websites get back “online”.

Once it resolves correctly, hopefully, if you added A records and pointed them to the right IP address and having them proxied via Cloudflare, then proceed with the steps to add DNSSEC if you want.

Here is the output for DNSSEC misconfiguration for your domain:

Screenshot_2021-02-13 DNSSEC Analyzer - randymajors org572×790 42.3 KB

Well that was a disaster! Bluehost proceeded to delete the one valid DS record provided by clooudflare rather than deleting the 3 bluehost DS records that I requested deleted!

So I am in the process of transferring the domains from bluehost to cloudflare so I can directly manage them at cloudflare.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.