[medguru]

Thanks for the info, I'll keep it in mind for eventual future transfers. But shouldn't I be able to disable DNSSEC regardless, instead of the domain being stuck in limbo and hijacked by what appears to be a deadlock type of bug?

[belorn]

Talking as a admin at a registrar, Yes, Indeed Yes, you should be able to disable DNSSEC regardless.

DNSSEC signed is basically just that the TLD servers has a DS record listed for the domain. In order to remove dnssec you remove the DS record. This can be easy or hard depending on the interface that the TLD, but in theory very simple.

The reason why its recommended to remove dnssec before transfer is to allow caches to timeout with the old DS record to expire. Some TLD also automatically remove DS when you do a transfer and a name server change, as it is a rather clear signal that the old key won't be useful. There is however some exciting new technology called multi-signer which is intended to resolve this problem in the future.

[phillipseamore]

Disabling DNSSEC doesn't propagate instantly. Have you queried the CF nameservers for the domain directly? In my experience everything involving DNSSEC requires a 24h wait (unless the domain hasn't been queried from anywhere - but that's usually not the case, something might have triggered distributed DNS lookups e.g. LE doing DNS validation for cert issuance etc).

[medguru]

CF's authorative servers ("hasslo" and "crystal") respond correctly when queried directly, but that doesn't really help the situation.

[phillipseamore]

Then it sounds like you are caught in cache limbo. It might be prudent for CF to have their DNSSEC setup so that users can't disable it instantly (or enable again instantly) and have a minimum of 12/24/48h between changing DNSSEC state. I'd guess that by now most caching DNS resolvers might have different signatures (old registrar, first CF DNSSEC and second CF DNSSC).