DNS resolving issues with DNSSEC on google dns.

[alok.ma...@gmail.com]

Domain: alokm.com

Domain in namecheap.com. Custom nameserver to dreamhost.

I had enabled DNSSEC in namecheap portal. Have disabled it now. 

Followed steps on  https://developers.google.com/speed/public-dns/docs/troubleshooting

Getting SERVFAIL with DNSSEC on 8.8.8.8 

Ok with +cd.

NOERROR on other nameservers 

http://intodns.com/alokm.com shows no error.

http://dnsviz.net/d/alokm.com/dnssec/ shows some errors.  No valid RRSIGs etc.. 

What can be done to resolve the problem?

$ dig @8.8.8.8 alokm.com


; <<>> DiG 9.9.5-11ubuntu1.3-Ubuntu <<>> @8.8.8.8 alokm.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31115
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;alokm.com. IN A


;; Query time: 256 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 18 15:15:35 IST 2016
;; MSG SIZE  rcvd: 38

$ dig @8.8.8.8 alokm.com +cd


; <<>> DiG 9.9.5-11ubuntu1.3-Ubuntu <<>> @8.8.8.8 alokm.com +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43495
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;alokm.com. IN A


;; ANSWER SECTION:
alokm.com. 14399 IN A 208.113.197.119


;; Query time: 252 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 18 15:16:33 IST 2016
;; MSG SIZE  rcvd: 54

$ dig alokm.com @4.2.2.1


; <<>> DiG 9.9.5-11ubuntu1.3-Ubuntu <<>> alokm.com @4.2.2.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37064
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;alokm.com. IN A


;; ANSWER SECTION:
alokm.com. 14400 IN A 208.113.197.119


;; Query time: 288 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Mon Apr 18 15:12:12 IST 2016
;; MSG SIZE  rcvd: 54

$ dig alokm.com @208.67.222.222


; <<>> DiG 9.9.5-11ubuntu1.3-Ubuntu <<>> alokm.com @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53576
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;alokm.com. IN A


;; ANSWER SECTION:
alokm.com. 9332 IN A 208.113.197.119


;; Query time: 88 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Apr 18 15:12:25 IST 2016
;; MSG SIZE  rcvd: 54

[Shen Wan]

This is because the domain fails DNSSEC validation. Please enter your domain at dnsviz.net for an explanation: http://dnsviz.net/d/alokm.com/dnssec/.

...

[Shen Wan]

Also see https://developers.google.com/speed/public-dns/docs/troubleshooting#step1:

"DNSSEC failure often happens after a zone has switched from a hosting service that supports DNSSEC to one that does not support DNSSEC. If the previous hosting service did not remove the DS records from the parent zone (.com forexample.com), and the new hosting service is unable to add the DNSKEY records to the child zone (example.com), Google Public DNS cannot validate the zone and returns SERVFAIL. The solution is to ask the previous hosting service to remove those obsolete DS records."

On Monday, April 18, 2016 at 11:15:57 AM UTC-4, alok.ma...@gmail.com wrote:

...