DNSSEC failures often appear as SERVFAIL from validating resolvers. Dig helps compare DS, DNSKEY, and signed answers.
Commands to use
dig example.com DS
dig example.com DNSKEY
dig example.com A +dnssecChecklist
- Check DS at the parent zone.
- Check DNSKEY at the child zone.
- Compare a validating resolver with a non-validating or authoritative check.
- Be careful during key rollovers and DNS provider migrations.
How to use the result
The DNS answer should be compared with the intended source of truth: registrar delegation, DNS provider zone, hosting target, email provider instructions, certificate authority challenge, or internal network documentation. If they do not match, fix the source record before troubleshooting higher layers.