Then it sounds like you are caught in cache limbo. It might be prudent for CF to have their DNSSEC setup so that users can't disable it instantly (or enable again instantly) and have a minimum of 12/24/48h between changing DNSSEC state. I'd guess that by now most caching DNS resolvers might have different signatures (old registrar, first CF DNSSEC and second CF DNSSC).