Introduction

DNSSEC adds cryptographic signatures to DNS records to prevent spoofing and cache poisoning. When DNSSEC is enabled, resolvers validate the entire chain of trust from the root zone down to the domain's records. If any link in this chain is broken - an expired RRSIG, mismatched DS record, failed key rollover, or missing DNSKEY - validation fails and the resolver returns SERVFAIL instead of the actual record, effectively making the domain unreachable.

Symptoms

  • dig example.com returns SERVFAIL with ad flag not set
  • dig +dnssec example.com shows SERVFAIL while dig example.com +cd (checking disabled) returns the record
  • delv example.com shows ; validation failure: chain of trust broken
  • Site works with DNSSEC disabled but fails with DNSSEC enabled
  • dig example.com DNSKEY returns keys but DS record at parent does not match

Common Causes

  • DS record at the registrar does not match the zone's DNSKEY
  • RRSIG signatures expired and automatic signing failed
  • Key rollover (KSK or ZSK) not completed correctly
  • DNS zone re-signed with a new key but DS record not updated at the registrar
  • Parent zone (TLD) has stale DS record after key change

Step-by-Step Fix

  1. 1.Verify DNSSEC is the cause by disabling validation:
  2. 2.```bash
  3. 3.# This query with checking disabled should return the record
  4. 4.dig example.com +cd +noall +answer
  5. 5.# If this works but normal query fails, DNSSEC is the issue
  6. 6.`
  7. 7.Check the DNSSEC validation chain:
  8. 8.```bash
  9. 9.# Use delv for detailed DNSSEC debugging
  10. 10.delv example.com
  11. 11.# Shows exactly which signature or key is failing validation
  12. 12.`
  13. 13.Compare the DS record at the parent with the zone DNSKEY:
  14. 14.```bash
  15. 15.# Get the DS record from the parent (registrar/TLD)
  16. 16.dig example.com DS +noall +answer @a.gtld-servers.net

# Get the DNSKEY from the zone dig example.com DNSKEY +noall +answer @ns1.example.com

# Generate the expected DS record from the DNSKEY dnssec-dsfromkey example.com.key # Compare with the DS record at the parent ```

  1. 1.Update the DS record at the registrar:
  2. 2.- Log in to your domain registrar
  3. 3.- Navigate to DNSSEC management
  4. 4.- Update the DS record with the correct key tag, algorithm, digest type, and digest
  5. 5.- The values come from: dnssec-dsfromkey -2 Kexample.com.+013+xxxxx.key
  6. 6.Re-sign the zone if signatures have expired:
  7. 7.```bash
  8. 8.# For BIND:
  9. 9.sudo rndc sign example.com
  10. 10.# Check signature expiration
  11. 11.dig example.com RRSIG +noall +answer
  12. 12.# Look for the signature expiration date
  13. 13.`
  14. 14.Temporarily disable DNSSEC if immediate resolution is needed:
  15. 15.```bash
  16. 16.# At the registrar, remove the DS record
  17. 17.# Or in your DNS server, remove DNSSEC signing
  18. 18.# Note: This takes 24-48 hours to fully propagate
  19. 19.`

Prevention

  • Monitor DNSSEC signature expiration and set alerts 7 days before expiry
  • Automate DNSSEC key rollovers with tools like dnssec-keygen and dnssec-signzone
  • Use DS record push automation when available (some registrars support this)
  • Test DNSSEC validation after every key change or zone re-signing
  • Document the DNSSEC key management procedure including emergency disable steps