I noticed my domain fails in DNSSEC. Can you fix this?

That was a recent support request from one of our customers at our Technical Support Services for Web hosts.

DNSSEC aka DNS Security Extensions simply brings in security to DNS records using digital signatures. And, DNSSEC chain of trust helps in validating the response.

Today, we’ll see the various reasons for DNSSEC failure and how our Support Engineers fix them.


Why we need DNSSEC and chain of trust?

Before checking further, let’s first understand more details on DNSSEC and its chain of trust.

Earlier, when DNS was introduced, it was not built to handle DNS queries securely. Naturally, DNS servers became a repeated target of hackers. And, the solution for this problem was DNSSEC.

DNSSEC simply adds a layer of trust by adding new records to existing DNS records.

In this method, the nameserver has a public and private key for each zone. And, when anyone makes a DNS request, it sends information signed with its private key. Only, the recipient can unlock it with the right public key.

Additionally, each link in the DNSSEC Chain of trust is signed against the previous level. Therefore, the digital signature ensures that the data originate from the authorized servers and not from any hacker.


How to enable DNSSEC for your domain?

We now know the benefits of having DNSSEC. Now, let’s see how our Dedicated Engineers enable DNSSEC for any domain.

To enable DNSSEC, we need to add a Delegation of Signing (DS) record for the domain. This record provides information about a signed zone file. But, these DS records differ depending on the domain name extension. It contains values like Key Tag, Algorithm, Digest type, Digest, etc.

For example, a DS record set for a .com domain looks as shown below.

Key Tag     1xx7
Algorithm   8 RSA/SHA-256 2,048 bits
Digest Type     2 SHA-256
Digest          327xxxxxb5727xxxxxx9ba018ae43b50de3 

Again, for the DS records to work, the domain should be registered with a valid registrar that support DNSSEC.


Reasons for DNSSEC failures and fixes

We saw the steps to enable DNSSEC for a domain. Often, customers experience problems with DNSSEC chain of trust and this may result in errors in DNS lookup tool.

Let’s now check the top reasons for the failures and how our Support Engineers fix them.


1. Missing DS records

A major reason for DNSSEC chain of trust failure is missing DS records. In such cases, a DNS look up will show errors. For example, the domain with missing DS records show up as :

Here, to fix the problem, our Dedicated Engineers had to generate and add the missing DS records by contacting the domain’s DNS registrar.


2. Propagation time

Similarly, domains can have DNSSEC errors due to propagation delay too. Unfortunately, DNSSEC records do not always update instantly. And, during the time of propagation, it can show up error as:

This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server.

In such cases, our Dedicated Engineers cross check the DNSSEC records and confirm that they are correct. And, we educate the customers to check after the propagation time.

[Have trouble enabling DNSSEC records for your domain? We can fix it for you.]



In a nutshell, DNSSEC chain of trust add security to the DNS queries. And, to make it work, we need to add additional DNS records. Today, we saw how our Dedicated Engineers enable DNSSEC records for a domain and fix common errors with it.


Source link


Write A Comment