I noticed my domain fails in DNSSEC. Can you fix this?
That was a recent support request from one of our customers at our Technical Support Services for Web hosts.
DNSSEC aka DNS Security Extensions simply brings in security to DNS zone records using digital signatures. And, DNSSEC chain of trust helps in validating the response.
Today, we’ll see how our Support Engineers setup DNSSEC and fix various reasons for DNSSEC failure.
Why we need DNSSEC and chain of trust?
Before checking further, let’s first understand more details on DNSSEC and its chain of trust.
In internet, Domain Name System aka DNS helps to map domain names to its IP address.
Earlier, when DNS was introduced, it was not built to handle DNS queries securely. Naturally, DNS servers became a repeated target of hackers. And, the solution for this problem was DNSSEC.
DNSSEC simply adds a layer of trust by adding new records to existing DNS records.
In this method, the nameserver has a public and private key for each zone. And, when anyone makes a DNS request, it sends information signed with its private key. Only, the recipient can unlock DNS zone record it with the right public key.
Additionally, each link in the DNSSEC Chain of trust is signed against the previous level. Therefore, the digital signature ensures that the data originate from the authorized servers and not from any hacker.
How to enable DNSSEC for your domain?
We now know the benefits of having DNSSEC. Now, let’s see how our Dedicated Engineers setup DNSSEC for any domain.
Basically, DNSSEC records helps in DNS records validation.
To enable DNSSEC, we need to add a Delegation of Signing (DS) record for the domain. This record provides information about a signed zone file. But, these DS records differ depending on the domain name extension. It contains values like Key Tag, Algorithm, Digest type, Digest, etc.
For example, a DS record set for a .com domain looks as shown below.
Key Tag 1xx7 Algorithm 8 RSA/SHA-256 2,048 bits Digest Type 2 SHA-256 Digest 327xxxxxb5727xxxxxx9ba018ae43b50de3
We need to add the DS records to the DNS zone record of the domain. Again, for the DS records to work, the domain should be registered with a valid registrar that support DNSSEC. And, when an internet user access the domain name in the browser, DNSSEC provides additional validation too.
Reasons for DNSSEC failures and fixes
We saw the steps to enable DNSSEC for a domain. Often, customers experience problems while setting up DNSSEC chain of trust and this may result in errors in DNS lookup tool.
Let’s now check the top reasons for the failures and how our Support Engineers fix them.
1. Missing DS records
A major reason for DNSSEC chain of trust failure is missing DS records in the zone file. In such cases, a DNS look up will show errors. For example, the domain with missing DS records show up as :
Here, to fix the problem, our Dedicated Engineers had to generate and add the missing DS records in the zone file by contacting the domain’s DNS registrar.
2. Propagation time
Similarly, domains can show errors with the setup of DNSSEC due to propagation delay too. Unfortunately, DNSSEC records do not always update instantly. And, during the time of propagation, accessing the domain in internet can show up error as:
This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server.
In such cases, our Dedicated Engineers cross check the DNSSEC zone records and confirm that they are correct. And, we educate the customers to check the domain name after the propagation time.
[Have trouble enabling DNSSEC records for your domain? We can fix it for you.]
In a nutshell, DNSSEC chain of trust add security to the DNS queries. And, to make it work, we need to add additional DNS records. Today, we saw how our Dedicated Engineers setup DNSSEC records for a domain and fix common errors with it.