DNSSEC Validation results and troubleshooting steps

DNSSEC validation results and troubleshooting tips

After adding a DNS server monitor, you can validate your DNS responses by enabling Domain Name System Security Extensions (DNSSEC). DNSSEC is a set of protocols that add an extra layer of security to the DNS lookup and exchange processes by digitally signing data so you can be assured it is valid. Your DNSKEY records are authenticated via a chain of trust with a set of verified public keys for the DNS root zone. You can enable DNSSEC by moving the toggle button to "Yes" in the DNS Add monitor page.


What if my validation fails?
When the DNSSEC validation fails, the DNS monitor's status turns to Trouble alert. A relevant error message describing the reason for validation failure is also shown in the details page. Common Validation failure messages include:


  1. "The DNS zone <example.com> is not DNSSEC protected."

    Troubleshooting method    : Verify whether your DNS zone was configured with DNSSEC or not.

  2. "DNSSEC validation failed. Could not establish a chain of trust to keys for <example.com>. Reason: Did not match a DS to a DNSKEY."

    Troubleshooting method: Verify the Delegation Signer (DS) Record for your domain in Top-Level Domain (TLD) and your zone Public KSK are same.

  3. "DNSSEC validation failed. The NSEC/NSEC3 record returned a NODATA response in the DNSSEC protected zone."

    Troubleshooting method: Ensure your zone has DNSSEC signature (RRSig).

  4. "DNSSEC validation failed. The resolver query returned an INSECURE response during validation. Reason: No signed NSEC/NSEC3 records found after querying the example.com./DS record in the parent zone."

    Troubleshooting method: Ensure your Top-Level Domain (TLD) has a Delegation Signer (DS) Record for your zone.
Related reading:

    • Related Articles

    • Validate the DNS results

      After adding a DNS Server , you can validate the DNS Server results to ensure they are correct. How it works? DNS server monitoring is performed such that we do the lookup only in the DNS server configured. We do not do a retry from multiple ...

    • Monitor and validate DNS IP changes using regex

      DNS administrators often monitor their DNS servers to detect changes in domain resolution and ensure IP mappings remain secure and accurate. Problem When your organization adds or modifies an IP address for your domain name, it’s critical to: Be ...

    • Troubleshooting tips for log collection errors

      The following is a list of possible log collection errors and the solutions to fix them: Error message Reason Solution Upload Limit Reached You might have reached the maximum upload limit configured for this log type in the current billing cycle. ...

    • Troubleshooting steps for On-Premise Poller

      Prerequisites and basic details: Prerequisites for installing On-Premise Poller Necessary ports to allow access to the installed On-Premise Poller How secure is On-Premise Poller Amount of bandwidth consumed by the On-Premise Poller software Adding ...

    • How to add Domain Verification Key in your DNS TXT record?

      In order to safeguard your subdomain from being misused, you're required to confirm your domain ownership. StatusIQ, Site24x7, and their MSP provide you a unique domain verification key to validate the ownership of your domain. You're required to ...