ServerRecords

Help & Troubleshooting

DNSSEC

What this is

DNSSEC adds cryptographic signatures to DNS so resolvers can verify answers were not forged. A healthy deployment needs three things at once: the zone signed (DNSKEY + RRSIG), the parent anchoring it (DS at the registrar), and validation actually succeeding.

How to read your result

The status check reports each layer. "Not enabled" is safe but unprotected. "Signed but no DS" means wasted effort. "Signed + anchored + validated" is the goal. Any mismatch state is effectively an outage on validating resolvers and needs urgent action.

Common problems and how to fix them

Domain SERVFAILs for many users after a DNS change

How it shows up: Works on some networks, dead on others (especially those using 8.8.8.8, 1.1.1.1, or ISP validators). Started right after changing DNS providers, nameservers, or keys.

How to fix it: Almost always a DS/DNSKEY mismatch. Compare the DS at the registrar with the live KSK; fix whichever side is stale. If you need the site up immediately and cannot fix keys, removing the DS record un-signs the domain (losing protection but restoring resolution) once caches expire.

Want DNSSEC but provider or registrar lacks support

How it shows up: No DNSSEC/DS options anywhere in the control panels.

How to fix it: Both sides must cooperate: the DNS provider signs the zone, the registrar publishes the DS. If either cannot, the practical fix is moving that function to a provider that supports it.

Signatures expire recurrently

How it shows up: The domain breaks on validating resolvers every few weeks, then "fixes itself" after intervention.

How to fix it: The re-signing automation is unreliable. If you run your own DNS servers, schedule and monitor automatic re-signing (e.g. with a signing daemon rather than cron-driven manual signing); on managed DNS, escalate to the provider.

Run a look up for this record