DNSSEC Validation results and troubleshooting steps

DNSSEC validation results and troubleshooting tips

After adding a DNS server monitor, you can validate your DNS responses by enabling Domain Name System Security Extensions (DNSSEC). DNSSEC is a set of protocols that add an extra layer of security to the DNS lookup and exchange processes by digitally signing data so you can be assured it is valid. Your DNSKEY records are authenticated via a chain of trust with a set of verified public keys for the DNS root zone. You can enable DNSSEC by moving the toggle button to "Yes" in the DNS Add monitor page.


What if my validation fails?
When the DNSSEC validation fails, the DNS monitor's status turns to Trouble alert. A relevant error message describing the reason for validation failure is also shown in the details page. Common Validation failure messages include:


  1. "The DNS zone <example.com> is not DNSSEC protected."

    Troubleshooting method    : Verify whether your DNS zone was configured with DNSSEC or not.

  2. "DNSSEC validation failed. Could not establish a chain of trust to keys for <example.com>. Reason: Did not match a DS to a DNSKEY."

    Troubleshooting method: Verify the Delegation Signer (DS) Record for your domain in Top-Level Domain (TLD) and your zone Public KSK are same.

  3. "DNSSEC validation failed. The NSEC/NSEC3 record returned a NODATA response in the DNSSEC protected zone."

    Troubleshooting method: Ensure your zone has DNSSEC signature (RRSig).

  4. "DNSSEC validation failed. The resolver query returned an INSECURE response during validation. Reason: No signed NSEC/NSEC3 records found after querying the example.com./DS record in the parent zone."

    Troubleshooting method: Ensure your Top-Level Domain (TLD) has a Delegation Signer (DS) Record for your zone.
Related reading:

    • Related Articles

    • Monitor and validate DNS IP changes using regex

      DNS administrators often monitor their DNS servers to detect changes in domain resolution and ensure IP mappings remain secure and accurate. Problem When your organization adds or modifies an IP address for your domain name, it’s critical to: Be ...

    • Troubleshooting tip for the error message "DNS server refuses to perform the update"

      It is essential to enter the DNS Host Name while adding a DNS Server. This error occurs if the configured DNS hostname is faulty. Reason for the error to occur: This error is caused because we have received "REFUSED" as response from the DNS server. ...

    • Synthetic browser module prerequisite and troubleshooting guide for On-Premise Pollers

      Introduction This document provides a structured troubleshooting guide for resolving issues encountered during the download process of On-Premise Poller for Synthetic (Browser) Module. It covers possible statuses, check-up steps, remedies, and ...

    • Troubleshooting false positive alerts in monitoring

      Problem False positive alerts are being generated. Possible cause The monitoring system is down in some locations. The Website monitor might be configured for one location, such as Seattle, but may appear down when accessed from another location, ...

    • Troubleshooting steps for No anomaly triggered

      Why are anomaly alerts not triggered? If you are not receiving anomaly alerts, it means that the model was not able to recognize a behavior as an anomaly. Site24x7's AI-powered Zia framework is the underlying mechanism of anomaly detection. The ML ...