Troubleshooting DNSSEC Issues
Common DNSSEC problems and how to diagnose and fix them
DNSSEC Validation Failures
Symptoms
- Users cannot access your website
- DNS queries return SERVFAIL
- DNSSEC validation shows as failed
Diagnosis Steps
- Use our chain of trust verifier to check each link
- Verify DS records are published:
dig DS example.com - Check DNSKEY records exist:
dig DNSKEY example.com - Verify RRSIG records are present:
dig RRSIG example.com - Check for expired signatures
Solutions
- Ensure DS records are correctly added at registrar
- Verify DNSKEY records are published
- Check that RRSIG records are not expired
- Wait for full propagation (up to 48 hours)
Expired RRSIG Signatures
Symptoms
- DNSSEC validation fails after a specific date
- RRSIG records show past expiration dates
- Intermittent validation failures
Diagnosis
Use our RRSIG decoder to check expiration dates. Query RRSIG records and check the expiration timestamp.
Solutions
- Re-sign your zone immediately
- Ensure automatic re-signing is enabled in your DNS provider
- Set up alerts for signature expiration (2 weeks before)
- Check key rotation schedule - expired keys can't sign records
Broken Chain of Trust
Symptoms
- Validation fails at TLD or domain level
- DS records missing or incorrect
- DNSKEY doesn't match DS record
Diagnosis
Use our chain of trust verifier to identify which link in the chain is broken.
Solutions
- Verify DS records match DNSKEY records (use our DS generator)
- Ensure DS records are added at registrar, not DNS provider
- Check TLD supports DNSSEC (most do, but verify)
- Wait for DS record propagation (24-48 hours)
Key Rotation Problems
Symptoms
- Validation fails after key rotation
- Old keys still in DNSKEY records
- DS records don't match new keys
Solutions
- Maintain both old and new keys during transition period
- Update DS records only after new keys are fully propagated
- Wait for signature validity period before removing old keys
- Verify validation works with both keys before removing old key
DS Record Issues
Common Problems
DS Records Not Published
DS records must be added at your registrar, not your DNS provider. Verify they're in the correct location.
Wrong DS Records
DS records must match your DNSKEY records. Use our DS generatorto verify, or regenerate from your DNS provider.
Multiple DS Records
Having multiple DS records is normal if you have multiple KSKs. Ensure all are added at registrar.
Diagnostic Tools
Use these tools to diagnose DNSSEC issues:
- DNSSEC Validator - Check overall DNSSEC status
- Chain Verifier - Verify each link
- RRSIG Tool - Check signature expiration
- DNSKEY Analyzer - Analyze key configuration
- NSEC Checker - Verify authenticated denial
Command Line Diagnostics
# Check DS records
dig DS example.com
# Check DNSKEY records
dig DNSKEY example.com
# Check RRSIG records
dig RRSIG example.com
# Verify with DNSSEC validation
dig +dnssec example.com
Getting Help
If you're still experiencing issues:
- Check your DNS provider's DNSSEC documentation
- Contact your DNS provider's support
- Verify your registrar supports DNSSEC
- Review our information pages for more details
- Check our best practices guide