Introduction

A DNSSEC validation failure means resolvers no longer trust the DNS answers for your domain, even if the records look correct at first glance. The hostname may resolve fine from non-validating resolvers but fail completely from validating ones. Most incidents happen when the parent DS record and the signed zone stop matching during a provider change, key rollover, or partial DNS migration.

Symptoms

  • Some resolvers return SERVFAIL while others still resolve the domain
  • DNS lookup tools specifically mention DNSSEC validation problems
  • The issue begins after changing DNS providers, enabling DNSSEC, or rotating signing keys
  • The zone looks correct in the provider dashboard, but users still cannot resolve it reliably
  • Only validating resolvers fail while insecure lookups appear normal

Common Causes

  • The parent DS record does not match the current zone signing key
  • DNSSEC was disabled in the zone, but the registrar still publishes a DS record
  • A key rollover was started but not completed correctly
  • Authoritative nameservers return inconsistent signed responses
  • Zone signing or delegation changed during migration and left part of the chain broken

Step-by-Step Fix

  1. Confirm that DNSSEC validation is the actual failure mode by testing with validating resolvers and DNS tools that show DS and DNSKEY details.
  2. Compare the DS record at the registrar or parent zone with the DNSKEY records currently served by the authoritative nameservers.
  3. If the zone is no longer signed, remove the stale DS record at the parent so validating resolvers stop expecting signatures.
  4. If the zone should remain signed, re-establish the correct DS record from the active DNS provider instead of mixing old and new signing states.
  5. Check all authoritative nameservers for consistent signed answers, because one out-of-date nameserver can break validation randomly.
  6. Review recent provider moves or key rollover steps to find whether the break happened during delegation, signing enablement, or key rotation.
  7. Wait for DS and DNSKEY TTL expiry only after the chain of trust is actually corrected.
  8. Retest resolution from validating public resolvers in multiple regions to confirm SERVFAIL is gone.
  9. Document DNSSEC ownership and rollover procedure so future registrar or DNS provider changes do not repeat the same failure.