Migrated from Google Domains to Cloudflare with DNSSEC turned on, how can I fix this?

Question

While changing configuration to address the deprecation of Dynamic DNS in Google Domains October 2023 announcement, I changed the nameservers in Google Domains for my .org and .com domains to point to my new Cloudflare account.

Then, I unlocked and transferred the domains from Google Domains to Cloudflare. I then added A records for my IP address so I could access it via additional subdomain names, but they didn't work. Having read a blog, it seems that I should have disabled DNSSEC in Google Domains before transferring the domains.

I've since turned on DNSSEC in Cloudflare, but now I don't know how to resolve this problem, because the Cloudflare documentation simply says "don't do it that way" but doesn't give advice on how to solve the situation.

Answer 1

It is a common misunderstanding that one would have to disable the DNSSEC first. Instead, before the migration, the DS records for the new authoritative DNS servers must be set up first along with the old records and wait for their TTL.

Junior Payne's How to migrate your DNS without disrupting DNSSEC explains the process both in detail and in summary:

Process for migrating a DNSSEC zone

The losing provider and gaining provider must use the same DNSSEC algorithm. The primary records relevant to the migration process are RRSIG, DNSKEY and DS.

1. Copy zone to gaining DNS service provider.
2. Sign zone in gaining DNS service provider using the same algorithm as the current DNSKEY in the losing provider.
3. Publish the new zone – go live.
4. Add DS record(s) of gaining DNS service provider.
5. Change the delegation of the zone to the gaining DNS service provider.
6. Remove DS record(s) of the losing DNS service provider.

Between every step you would have to wait for the relevant TTLs.

With the milk already spilled you would have to focus on the goal, accepting that there will now be some downtime for any DNSSEC enabled clients.