DNSSEC failures often appear as SERVFAIL from validating resolvers. Dig helps compare DS, DNSKEY, and signed answers.

Commands to use

dig example.com DS
dig example.com DNSKEY
dig example.com A +dnssec

Checklist

  1. Check DS at the parent zone.
  2. Check DNSKEY at the child zone.
  3. Compare a validating resolver with a non-validating or authoritative check.
  4. Be careful during key rollovers and DNS provider migrations.

How to use the result

The DNS answer should be compared with the intended source of truth: registrar delegation, DNS provider zone, hosting target, email provider instructions, certificate authority challenge, or internal network documentation. If they do not match, fix the source record before troubleshooting higher layers.