DNSSEC Validation results and troubleshooting steps

DNSSEC validation results and troubleshooting tips

After adding a DNS server monitor, you can validate your DNS responses by enabling Domain Name System Security Extensions (DNSSEC). DNSSEC is a set of protocols that add an extra layer of security to the DNS lookup and exchange processes by digitally signing data so you can be assured it is valid. Your DNSKEY records are authenticated via a chain of trust with a set of verified public keys for the DNS root zone. You can enable DNSSEC by moving the toggle button to "Yes" in the DNS Add monitor page.


What if my validation fails?
When the DNSSEC validation fails, the DNS monitor's status turns to Trouble alert. A relevant error message describing the reason for validation failure is also shown in the details page. Common Validation failure messages include:


  1. "The DNS zone <example.com> is not DNSSEC protected."

    Troubleshooting method    : Verify whether your DNS zone was configured with DNSSEC or not.

  2. "DNSSEC validation failed. Could not establish a chain of trust to keys for <example.com>. Reason: Did not match a DS to a DNSKEY."

    Troubleshooting method: Verify the Delegation Signer (DS) Record for your domain in Top-Level Domain (TLD) and your zone Public KSK are same.

  3. "DNSSEC validation failed. The NSEC/NSEC3 record returned a NODATA response in the DNSSEC protected zone."

    Troubleshooting method: Ensure your zone has DNSSEC signature (RRSig).

  4. "DNSSEC validation failed. The resolver query returned an INSECURE response during validation. Reason: No signed NSEC/NSEC3 records found after querying the example.com./DS record in the parent zone."

    Troubleshooting method: Ensure your Top-Level Domain (TLD) has a Delegation Signer (DS) Record for your zone.
Related reading:

    • Related Articles

    • Monitor and validate DNS IP changes using regex

      DNS administrators often monitor their DNS servers to detect changes in domain resolution and ensure IP mappings remain secure and accurate. Problem When your organization adds or modifies an IP address for your domain name, it’s critical to: Be ...

    • Troubleshooting false positive alerts in monitoring

      Problem False positive alerts are being generated. Possible cause The monitoring system is down in some locations. The Website monitor might be configured for one location, such as Seattle, but may appear down when accessed from another location, ...

    • Compare our various methodologies for Website Monitoring

      Get to know Site24x7 monitors better and choose the one that best fits your monitoring needs. Compare the functionality of the following monitors: Website Monitoring Webpage Speed (Browser) Web Transaction Monitoring Web Transaction (Browser) SSL/TLS ...

    • Validating sender email using DKIM authentication

      What is DKIM? DomainKeys Identified Mail (DKIM) is an advanced authentication method used widely by email service providers to verify the email from the point of its origin by validating the email sender. It allows the email senders to authenticate ...

    • Why do I observe a spike in my website response time?

      Response time is a combination of DNS time, connection time, SSL Handshake time (for HTTPS) and download time. Spikes in response time could be due to increase in DNS time or connection time or download time. Some factors to consider: In case of ...