DNSSEC Troubleshooting Guide

Troubleshooting DNSSEC Disabling Issues

Question

You are disabling DNSSEC for one of your Cloud DNS-managed zones.

You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone.

You receive reports that DNSSEC validating resolves are unable to resolve names in your zone.

What should you do?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

Before disabling DNSSEC for a managed zone you want to use, you must deactivate DNSSEC at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.

https://cloud.google.com/dns/docs/dnssec-config

If DNSSEC is disabled for a Cloud DNS-managed zone by removing the DS records and waiting for them to expire from the cache, and DNSSEC validating resolvers are unable to resolve names in the zone, the possible cause is that the resolvers may still be caching the old DS records. In this scenario, we can try the following steps:

  1. Wait for the DNS propagation: Changes to DNS records may take some time to propagate globally, and DNS caching can add to the delay. We should allow sufficient time for the changes to propagate to all the DNS resolvers, which may take up to 48 hours or more depending on the TTL value of the zone.

  2. Verify the DNSSEC status: We should verify the DNSSEC status of the zone using a tool like DNSViz or Verisign Labs DNSSEC Debugger. This can help us identify if the DNSSEC chain of trust is broken or if the zone is not properly signed.

  3. Check the DNS resolvers: We should check the DNS resolvers to ensure that they are configured to trust the parent zone's DNSKEY and do not have any outdated cached records. We can use tools like the DNSSEC Validator or DNSViz to test the resolver's configuration and check for DNSSEC validation errors.

  4. Update the TTL value: If we are sure that the DS records have expired from the cache, we can try to update the TTL value of the zone. This can help reduce the time that DNS resolvers cache the old records and force them to request the new records from the authoritative DNS servers.

  5. Disable DNSSEC at the domain registrar: If the above steps do not resolve the issue, we can try disabling DNSSEC at the domain registrar. This can help remove any cached records and ensure that the DNS resolvers do not try to validate DNSSEC signatures for the zone.

Therefore, the correct answer to the question is option C: Disable DNSSEC at your domain registrar.