Support Library
Debugging DNSSEC validation errors
Validating resolvers fail while permissive resolvers succeed.
Problem Statement
Validating resolvers fail while permissive resolvers succeed.
Symptoms
SERVFAIL appears only in DNSSEC-validating environments.
Step-by-Step Diagnosis
Trace DS/DNSKEY chain, inspect signature windows, and verify rollover state.
Commands to Run
dig +trace example.com ; dig example.com DNSKEY ; dig example.com DS @a.gtld-servers.net ; delv example.com
Expected vs Bad Output
Expected is valid trust chain and AD flag; bad output includes stale DS or expired RRSIGs.
Resolution Steps
Publish corrected keys/signatures, update parent DS, and retest after cache expiry.
How DNS Panopticon Detects This
- Relevant checks: Delegation integrity, resolver consistency, DNSSEC health, and suspicious record-pattern checks.
- Severity mapping: Informational, medium/high, or critical based on exploitability and user impact.
- Score impact: Reliability and security scoring dimensions are reduced according to blast radius.
- Related findings users will see: NS drift, validation failure, orphaned CNAMEs, wildcard exposure, and policy misconfiguration alerts.
Operator Checklist
- Verify behavior from at least two public resolvers and one resolver inside your own network before making changes.
- Make one change at a time, capture before/after query output, and wait for TTL windows to clear so you can confirm impact.
- Document the root cause and the final fix in your runbook to shorten future incidents.