I found the threat about NameCheap and DS record throwing errors at DNSSEC. With “The DS RRset for the zone included algorithm 8 (RSASHA256), but no DS RR matched a DNSKEY with algorithm 8 that signs the zone’s DNSKEY RRset.”
Solved it by at NameCheap to delete the algorithm 8 DS record.
Regards
Rob Oudendijk
Always disable DNSSEC when changing dns records at the Registrant.
Renable it after the propagation and when all is OK, depending on the TTL.
I have deleted my DNSSEC key at my registrar, but see that my DNSKEYs are still being returned when I do a DNS check. My registrar says that DNSSEC is disabled. Is that right if DNSKEYs are still being returned?
There is a TTL when making changes at the registrar, in seconds. This is a time to live, i.e. time when it is expected the changes to propagate. Check the value. It might be as much as 1 or 2 days, depending on the DNS provider.