Confirming DNSSEC is the Problem
Quick test to confirm DNSSEC is causing your outage:
# Fails (validating resolver)
dig yourdomain.com @8.8.8.8
# Works (validation disabled)
dig yourdomain.com @8.8.8.8 +cdIf the first command returns SERVFAIL but the second returns your IP address, DNSSEC is definitely the issue.
Emergency Recovery Steps
Remove DS Record at Registrar
Log in to your domain registrar (where you bought the domain). Find DNSSEC settings and DELETE the DS record. This breaks the chain of trust intentionally.
Verify DS Removal
Check that DS is removed from parent zone:
dig DS yourdomain.comTest Your Site
Once DS is removed, test on validating resolvers:
dig yourdomain.com @8.8.8.8Disable DNSSEC at DNS Provider
After confirming site is accessible, disable DNSSEC signing at your DNS provider (Cloudflare, Route 53, etc.) to prevent orphaned signatures.
Why This Happened
Common causes of DNSSEC-induced outages:
- Changed DNS providers: New provider has different keys, but old DS record remains
- Expired signatures: Zone wasn't re-signed in time (self-managed DNSSEC)
- Accidental DS deletion then re-add: Re-added incorrect values
- Key rollover failure: KSK rollover didn't complete properly
Prevention Checklist
- Use managed DNSSEC: Cloudflare, Route 53, and similar providers handle signing automatically
- Before changing DNS providers: Disable DNSSEC properly (DS first, then zone signing)
- Monitor your domain: Set up alerts with services like DNSViz or DNSimple
- Document current config: Keep record of DS values and key tags
Re-enabling DNSSEC Safely
After fixing the issue, to re-enable DNSSEC:
- Enable zone signing at DNS provider
- Wait for confirmation that zone is signed
- Get the new DS record values from your provider
- Add DS record at registrar
- Verify with DNSSEC verification tools