SERVFAIL DNSSEC Errors Explained

Troubleshooting Guide • Updated December 2024

SERVFAIL is a DNS response code indicating the server cannot provide an answer. When DNSSEC validation fails, validating resolvers return SERVFAIL to protect users from potentially spoofed data.

Understanding SERVFAIL

SERVFAIL (Server Failure) has multiple causes, but when DNSSEC is involved:

  • The domain's DNSSEC signatures are invalid or expired
  • The chain of trust is broken
  • The resolver cannot verify the response is authentic

Rather than return unverified data, the resolver returns SERVFAIL—effectively treating the domain as unreachable.

Confirming DNSSEC is the Cause

Test with and without DNSSEC validation:

With Validation (Normal)

dig yourdomain.com @8.8.8.8

If this returns SERVFAIL, validation is failing.

Without Validation

dig yourdomain.com @8.8.8.8 +cd

The +cd flag tells the resolver to skip validation. If this returns valid data, DNSSEC is definitely the issue.

Non-Validating Resolver

dig yourdomain.com @1.0.0.1

Some ISP resolvers don't validate DNSSEC. If the domain works on these but fails on Google DNS (8.8.8.8) or Cloudflare DNS (1.1.1.1), it's a DNSSEC problem.

Common SERVFAIL Causes

Cause How to Verify Solution
Expired RRSIG Check RRSIG expiration time Re-sign zone
Wrong DS record Compare DS to DNSKEY hash Update DS at registrar
Missing DNSKEY Query DNSKEY records Republish keys
Algorithm unsupported Check algorithm numbers Use standard algorithm

Step-by-Step Resolution

Run DNSViz Analysis

Go to dnsviz.net and analyze your domain. The visualization shows exactly where validation fails.

Identify the Failure Point

Is it the DS record? Expired signatures? Missing DNSKEY? DNSViz highlights the specific issue.

Apply Targeted Fix

See our guides for validation failures or misconfigurations.

Wait for Propagation

DNS changes take time to propagate. Allow 10 minutes to 48 hours depending on TTL values.

Clear Resolver Cache

Negative answers may be cached. Test from different resolvers or wait for cache to expire.

Emergency Response

If your site is down and you need immediate resolution:

  1. Remove DS record at registrar - This is the fastest fix
  2. Wait for parent zone DS removal to propagate (check with dig DS yourdomain.com)
  3. Once DS is removed, the zone becomes "insecure" and SERVFAIL stops
  4. Fix the underlying DNSSEC issue before re-enabling
Order Matters: Remove DS before disabling zone signing. Reversing this order extends the outage.

Related Articles