DomainSecurityScanner
Critical SeverityDNSSEC

Fix: DNSSEC Validation Failed

DNSSEC validation is failing for your domain. The chain of trust from the root zone to your domain is broken, which can cause DNS resolution failures for DNSSEC-validating resolvers.

Quick Fix

Verify your DS records match your DNSKEY records, or contact your DNS provider to fix the DNSSEC chain.

What This Error Means

DNSSEC adds cryptographic signatures to DNS records. When validation fails, it means the signatures do not verify correctly — typically because the DS record at the parent zone does not match the DNSKEY in your zone, or the signatures have expired.

Why It Matters

DNSSEC validation failure is worse than not having DNSSEC at all. Validating resolvers return SERVFAIL, making your domain completely unresolvable for those users. Your website, email, and all DNS-dependent services become unreachable.

Step-by-Step Fix

1

Check the DS record at your registrar

The DS record at the parent zone must match the DNSKEY in your zone.

Example
# Check DS records at the parent:
dig DS yourdomain.com +short

# Check DNSKEY in your zone:
dig DNSKEY yourdomain.com +short
2

Verify the chain of trust

Use a DNSSEC debugging tool to trace the chain of trust from root to your domain.

Example
# Use delv (DNSSEC lookup utility):
delv yourdomain.com A +rtrace

# Or use dig with DNSSEC:
dig yourdomain.com A +dnssec +cd
3

Ensure DNSKEY and DS records match

Generate the expected DS record from your current DNSKEY and compare with what is published at the registrar.

Example
# Generate DS from DNSKEY:
dig DNSKEY yourdomain.com | dnssec-dsfromkey -2 yourdomain.com

# Compare with published DS:
dig DS yourdomain.com +short
4

Fix the mismatch

If the DS records do not match, update them at your registrar. If signatures have expired, contact your DNS provider to re-sign the zone.

5

Test validation

Confirm DNSSEC validation succeeds after the fix.

Example
# Test with a validating resolver:
dig @8.8.8.8 yourdomain.com A +dnssec
# Look for the "ad" (authenticated data) flag

Common Gotchas

  • If you recently migrated DNS providers, the old DS records may still be at the registrar. Update them to match the new provider's DNSKEY.
  • DNSSEC signatures expire. If your DNS provider stops re-signing your zone, validation will fail even if the DS/DNSKEY match.
  • Removing DS records from the registrar disables DNSSEC. This is sometimes the fastest emergency fix, but allow 24-48 hours for caches to clear.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

Should I just disable DNSSEC if validation is failing?

Removing DS records is a valid emergency fix to restore resolution. However, if you want DNSSEC security benefits, fix the validation chain instead. Allow 24-48 hours for caches to clear after removing DS records.

What is the chain of trust in DNSSEC?

The chain goes from the DNS root zone to the TLD (.com, .org) to your domain. At each level, a DS record authenticates the DNSKEY in the child zone. If any link is broken, validation fails.

How does DNSSEC failure affect email?

Validating resolvers cannot look up your MX, SPF, or DKIM records. Email delivery to and from your domain can fail for senders/receivers using those resolvers.

Related Issues

No DMARC RecordNo SPF RecordCertificate ExpiredAll Fix Guides →