DNSSEC Validation

DNSSEC failures range from inert (just not turned on) to outage-grade (validating resolvers refuse to answer for your domain). Match your scan verdict to the section below and follow the steps.

Fail: broken DNSSEC

Urgent. A DS record exists at the parent, but the zone is not returning matching signatures. Validating resolvers (1.1.1.1, 8.8.8.8, Quad9, most large ISPs) will return SERVFAIL until this is resolved. There is no user-facing error page; affected visitors just cannot reach you.

The cause is almost always one of:

• A key rollover at your DNS provider published new DNSKEYs, but the registrar still holds a DS pointing at an old key.
• DNS hosting was changed (or DNSSEC switched off at the provider) without first removing the DS from the registrar.

Pick one fix path:

• Keep DNSSEC on: copy the current DS digest from your DNS provider's control panel and replace the DS at the registrar so it matches a live DNSKEY. Propagation is fast (minutes) once the registrar publishes the new DS.
• Turn DNSSEC off: remove the DS at the registrar and wait one parent-zone TTL (commonly 24 to 48 hours for TLDs) before considering it cleared. Do not just disable signing at the DNS provider while the DS is still published; that creates the broken state you are trying to escape.

Warn: missing DNSSEC

DNSSEC is not enabled. Two steps:

• Enable DNSSEC in your DNS provider's control panel. Most major providers offer this as a single switch.
• Copy the DS record (or DNSKEY, depending on what the registrar accepts) from your DNS provider into the DNSSEC panel at your registrar.

Wait one parent-TTL cycle, then re-scan. Some budget registrars and legacy DNS hosts do not support DNSSEC at all. If yours has no DNSSEC option, the realistic fix is moving DNS hosting (or the registrar) to one that does.

Warn: partial DNSSEC

Signatures are visible but the chain does not validate. Usual suspects:

• DS not yet published at the registrar, so the zone is signed locally but the parent has nothing to link to.
• Digest-type or algorithm mismatch between the DS and the published DNSKEY.
• A key rollover left the parent DS pointing at a key that has been retired.
• RRSIGs have expired because of clock skew on the signing nameserver.

Run dig DS yourdomain @8.8.8.8 to confirm what the parent publishes, then walk the chain in DNSViz to see which link is broken.

Verify the fix

• Run dig +dnssec yourdomain @1.1.1.1. The response header flags should include ad. No ad means no validation.
• DNSViz (dnsviz.net) visualizes every link in the chain and highlights breakage in red.
• Verisign DNSSEC Analyzer (dnssec-analyzer.verisignlabs.com) is a useful second opinion if DNSViz is unclear.
• Re-run the RedScore lookup once the parent-zone TTL has passed.

Common pitfalls

• Switching DNS hosts without first removing the DS at the registrar is the single most common cause of self-inflicted SERVFAIL outages.
• Publishing both SHA-1 (digest type 1) and SHA-256 (digest type 2) DS records. Only publish type 2.
• Algorithm rollovers done by swapping rather than the double-signature method break the chain mid-rollover.
• Cloudflare-proxied records still require the zone apex to use Cloudflare's nameservers. A third-party CNAME flatten breaks the chain.