Fix Cloudflare DNSSEC Validation Failed Error

Introduction

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, creating a chain of trust from root servers to your domain. When DNSSEC validation fails, DNS resolvers return SERVFAIL, making your domain unreachable. Common causes include missing or incorrect DS records at the registrar, expired signatures, key rotation errors, or mismatched keys between your zone and parent zone. Cloudflare supports DNSSEC for zones it manages, but proper configuration at both Cloudflare and registrar is required.

Symptoms

Domain returns SERVFAIL when queried by DNSSEC-validating resolvers
Site unreachable for users with DNSSEC-enabled ISPs
DNS tools show DNSSEC validation failure
Error: "DNSSEC signature failed to verify"
Recent registrar or nameserver changes preceded issue
Domain works with some resolvers but fails with others

Common Causes

DS record at registrar doesn't match Cloudflare DNSSEC key
DS record removed or corrupted at registrar
DNSSEC signatures expired (zone not resigning)
Key rollover incomplete or misconfigured
Chain of trust broken at parent zone
CAA record conflict with DNSSEC
Registrar not supporting DNSSEC for TLD
Cloudflare DNSSEC disabled but DS records remain at registrar

Step-by-Step Fix

1.Verify DNSSEC status at Cloudflare:

Navigate to: Cloudflare Dashboard > DNS > Settings

``` # Check DNSSEC status: # - Enabled: Shows DS record values # - Disabled: No DS record shown

# If DNSSEC enabled at Cloudflare, note the DS record values: # - Key tag # - Algorithm # - Digest type # - Digest value ```

1.Check DS record at registrar:

```bash # Query parent zone for DS record dig yourdomain.com DS @a.gtld-servers.net

# Or use root servers dig yourdomain.com DS @a.root-servers.net

# Should return DS record matching Cloudflare values # If no DS record or mismatched values, validation fails ```

1.Compare DS records between Cloudflare and registrar:

```bash # Get Cloudflare DS record from dashboard # Compare with registrar DS record

# Values must match exactly: # - Key tag (number) # - Algorithm (usually 13 for ECDSA) # - Digest type (usually 2 for SHA-256) # - Digest (long hexadecimal string) ```

1.Update DS record at registrar if mismatched:

Log into registrar control panel: - Find DNSSEC settings - Remove existing DS record - Add DS record with values from Cloudflare dashboard

bash

# Example DS record format:
# Key Tag: 2371
# Algorithm: 13
# Digest Type: 2
# Digest: 4A3B2C1D... (64 character hex for SHA-256)

1.Verify DNSSEC chain of trust:

```bash # Use DNSSEC validation tool dnsviz yourdomain.com

# Or online tool # https://dnsviz.net/

# Check for: # - Valid signatures # - Complete chain from root to domain # - No "bogus" status ```

1.Check for expired signatures:

```bash # Query authoritative server directly dig yourdomain.com +dnssec @june.ns.cloudflare.com

# Look at RRSIG records for expiration # RRSIG shows: signature expiration timestamp

# DNSKEY should have valid signatures # Cloudflare automatically resigns, but check if enabled ```

1.Disable DNSSEC at registrar if not using Cloudflare DNSSEC:

```bash # If you disabled DNSSEC in Cloudflare but DS record exists at registrar: # Validation fails because resolver expects signatures that don't exist

# Remove DS record from registrar # Wait for propagation (up to TTL, often hours) ```

1.Enable DNSSEC in Cloudflare if needed:

Navigate to: DNS > Settings > DNSSEC

bash

# Click Enable DNSSEC
# Note DS record values
# Add DS record at registrar

1.Handle key rollover properly:

```bash # During key rollover, keep old key active until new DS propagated # Cloudflare handles automatic key rollover # Ensure registrar DS record updated when Cloudflare rotates keys

# Check current key in Cloudflare dashboard # Update registrar if key changed ```

1.Test with DNSSEC-validating resolver:

```bash # Use Google DNS (validates DNSSEC) dig yourdomain.com @8.8.8.8

# Should return NOERROR with valid answer # SERVFAIL indicates DNSSEC validation failure

# Use DNSSEC debug query dig yourdomain.com +dnssec +multiline @8.8.8.8

# Look for ad flag (authenticated data) in response # NO ad flag + SERVFAIL = DNSSEC validation failed ```

1.Check for DNSSEC-specific record issues:

```bash # Verify DNSKEY records dig yourdomain.com DNSKEY @june.ns.cloudflare.com

# Should return DNSKEY records matching DS

# Check for consistent algorithm # Algorithm 13 (ECDSA-P256) is standard ```

1.Verify zone is properly signed:

```bash # Query with DNSSEC flag dig yourdomain.com A +dnssec @june.ns.cloudflare.com

# Response should include: # - A record (answer) # - RRSIG record (signature over A) # - NSEC or NSEC3 (denial of existence for non-existent)

# Missing RRSIG indicates zone not properly signed ```

1.Allow time for propagation:

```bash # DS record changes propagate through parent zone # TTL at parent zone determines propagation time # Often 1-24 hours for parent zone updates

# Monitor with: watch dig yourdomain.com DS @a.gtld-servers.net ```

Verification

After applying fixes:

1.dig yourdomain.com @8.8.8.8 returns NOERROR (not SERVFAIL)
2.Response includes ad flag (authenticated data)
3.DS record at registrar matches Cloudflare values
4.DNSSEC validation tools show valid chain
5.Domain resolves on DNSSEC-validating networks
6.Site accessible to all users regardless of resolver DNSSEC support

How to Fix Cloudflare DNSSEC Validation Failed

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Verification

Share this guide

More Cloudflare Troubleshooting Guides

Fix Cloudflare Zone Stuck in Pending Nameserver Update

Fix Cloudflare Proxied Service Failing on Unsupported Port

Fix Cloudflare HTTP/3 QUIC Protocol Not Working

Fix Cloudflare WebSocket Connection Failing Behind Proxy

Fix Cloudflare Waiting Room Still Blocking After Cutover

Fix Cloudflare Access Application Bound to Old Hostname