I recently had a client transfer their DNSSEC enabled domain to another registrar. Everything appeared to transfer as expected, but they noticed several global users having DNS resolution issues. This was strange because:

  • The domain appeared to resolve fine for 90% of the world, using DNS propagation utilities to determine how DNS was propagating globally.
  • DNSSEC was not enabled at the web host level, and no DS records were specified in the host’s DNS records.
  • The registrar claimed they were not adding any DS records and were not sure where it was coming from.

I was pulling my hair out over this issue. I was working with 3 different companies, including a web host, a prior domain registrar and an existing domain registrar.

What was the issue? The existing domain registrar, WAS, in fact, enabling DNSSEC and adding a DS record to their DNS entries for the domain. It took me a while before I could get a hold of a senior tech at the registrar who was able to correct the issue. Once they removed the “bad” DS record, everything began to propagate correctly again.

Moral of the story: If you’re having strange DNS propogation issues, use a site like DNSSEC Analyzer to determine if a DS record is being sent. If one is, make sure you have DNSSEC enabled at the host, with the correct values, or…… make sure the registrar removes that record if you don’t want to use DNSSEC at all. Be persistent with the registrar, it might take a senior technician to solve the issue for you.