[phillipseamore]

Disabling DNSSEC doesn't propagate instantly. Have you queried the CF nameservers for the domain directly? In my experience everything involving DNSSEC requires a 24h wait (unless the domain hasn't been queried from anywhere - but that's usually not the case, something might have triggered distributed DNS lookups e.g. LE doing DNS validation for cert issuance etc).

[medguru]

CF's authorative servers ("hasslo" and "crystal") respond correctly when queried directly, but that doesn't really help the situation.

[phillipseamore]

Then it sounds like you are caught in cache limbo. It might be prudent for CF to have their DNSSEC setup so that users can't disable it instantly (or enable again instantly) and have a minimum of 12/24/48h between changing DNSSEC state. I'd guess that by now most caching DNS resolvers might have different signatures (old registrar, first CF DNSSEC and second CF DNSSC).