DNSSEC Validation results and troubleshooting steps

DNSSEC validation results and troubleshooting tips

After adding a DNS server monitor, you can validate your DNS responses by enabling Domain Name System Security Extensions (DNSSEC). DNSSEC is a set of protocols that add an extra layer of security to the DNS lookup and exchange processes by digitally signing data so you can be assured it is valid. Your DNSKEY records are authenticated via a chain of trust with a set of verified public keys for the DNS root zone. You can enable DNSSEC by moving the toggle button to "Yes" in the DNS Add monitor page.


What if my validation fails?

When the DNSSEC validation fails, the DNS monitor's status turns to Trouble alert. A relevant error message describing the reason for validation failure is also shown in the details page. Common Validation failure messages include:


  1. "The DNS zone <example.com> is not DNSSEC protected."

    Troubleshooting method
    : Verify whether your DNS zone was configured with DNSSEC or not.

  2. "DNSSEC validation failed. Could not establish a chain of trust to keys for <example.com>. Reason: Did not match a DS to a DNSKEY."

    Troubleshooting method: Verify the Delegation Signer (DS) Record for your domain in Top-Level Domain (TLD) and your zone Public KSK are same.

  3. "DNSSEC validation failed. The NSEC/NSEC3 record returned a NODATA response in the DNSSEC protected zone."

    Troubleshooting method: Ensure your zone has DNSSEC signature (RRSig).

  4. "DNSSEC validation failed. The resolver query returned an INSECURE response during validation. Reason: No signed NSEC/NSEC3 records found after querying the example.com./DS record in the parent zone."

    Troubleshooting method: Ensure your Top-Level Domain (TLD) has a Delegation Signer (DS) Record for your zone.
Related reading:

    • Related Articles

    • Validate the DNS results

      After adding a DNS Server , you can validate the DNS Server results to ensure they are correct. How it works? DNS server monitoring is performed such that we do the lookup only in the DNS server configured. We do not do a retry from multiple ...
    • Troubleshooting steps for On-Premise Poller

      Prerequisites and basic details: Prerequisites for installing On-Premise Poller Necessary ports to allow access to the installed On-Premise Poller How secure is On-Premise Poller Amount of bandwidth consumed by the On-Premise Poller software Adding ...
    • Troubleshooting tip for the error message "DNS server refuses to perform the update"

      It is essential to enter the DNS Host Name while adding a DNS Server. This error occurs if the configured DNS hostname is faulty. Reason for the error to occur: This error is caused because we have received "REFUSED" as response from the DNS server. ...
    • How to add Domain Verification Key in your DNS TXT record?

      In order to safeguard your StatusIQ subdomain from being misused, you're required to confirm your domain ownership. StatusIQ provides you a unique domain verification key to validate the ownership of your status page domain. You're required to enter ...
    • Basic troubleshooting tips for APM Insight Java agent

      Even after the agent parameters are in place, if the APM Insight instance is not shown in the Site24x7 console, please check for the following conditions: Check whether the correct license key is provided in apminsight.conf file Check whether the ...