DNSSEC validation results and troubleshooting tips
After adding a DNS server monitor, you can validate your DNS responses by enabling Domain Name System Security Extensions (DNSSEC).
DNSSEC is a set of protocols that add an extra layer of security to the DNS lookup and exchange processes by digitally signing data so you can be assured it is valid. Your DNSKEY records are authenticated via a chain of trust with a set of verified public keys for the DNS root zone. You can enable DNSSEC by moving the toggle button to "Yes" in the DNS Add monitor page.
What if my validation fails?
When the DNSSEC validation fails, the DNS monitor's status turns to Trouble alert. A relevant error message describing the reason for validation failure is also shown in the details page. Common Validation failure messages include:
"The DNS zone <example.com> is not DNSSEC protected."
Troubleshooting method: Verify whether your DNS zone was configured with DNSSEC or not.
"DNSSEC validation failed. Could not establish a chain of trust to keys for <example.com>. Reason: Did not match a DS to a DNSKEY."
Troubleshooting method: Verify the Delegation Signer (DS) Record for your domain in Top-Level Domain (TLD) and your zone Public KSK are same.
"DNSSEC validation failed. The NSEC/NSEC3 record returned a NODATA response in the DNSSEC protected zone."
Troubleshooting method: Ensure your zone has DNSSEC signature (RRSig).
"DNSSEC validation failed. The resolver query returned an INSECURE response during validation. Reason: No signed NSEC/NSEC3 records found after querying the example.com./DS record in the parent zone."
Troubleshooting method: Ensure your Top-Level Domain (TLD) has a Delegation Signer (DS) Record for your zone.