sfw/fix
DNSSEC SERVFAIL (bogus) high

DNSSEC Validation Failure (Bogus / DS Mismatch)

A validating resolver returns SERVFAIL because the DNSSEC chain of trust is broken and the answer is bogus.

What you see

This site can't be reached
example.com's server IP address could not be found.
ERR_NAME_NOT_RESOLVED  (dig: status: SERVFAIL)

What’s actually happening

The domain looks dead from validating resolvers (1.1.1.1, 8.8.8.8, most ISP servers) but resolves fine from one that ignores DNSSEC. 'dig +dnssec example.com @1.1.1.1' returns SERVFAIL; adding '+cd' (checking disabled) makes the same query succeed. That split is the signature: the data exists, but the cryptographic chain from the registry's DS record down to the zone's signatures doesn't add up, so validators refuse to hand it back.

Common causes

  • Nameservers were moved to a host that doesn't serve DNSSEC (or serves a different key) while the DS record stayed published at the registry
  • A key rollover was done incompletely — the zone is signed with a new DNSKEY but the registry still has the DS for the old, removed key
  • RRSIG signatures expired and weren't re-signed (common with a stalled or broken signing pipeline)
  • The DS record at the registrar has the wrong key tag, algorithm, or digest and never matched the zone's actual key
  • DNSSEC was enabled at the registrar but the zone itself is unsigned, or vice versa

How to fix it

  1. Confirm it's DNSSEC, not a normal NXDOMAINCompare 'dig example.com @1.1.1.1' (SERVFAIL) against 'dig +cd example.com @1.1.1.1' (works). If +cd fixes it, validation is the problem. Then paste the domain into dnsviz.net or Verisign's DNSSEC debugger to see exactly which link is broken.
  2. If you just moved DNS hosts, remove the DS recordGo to the registrar (where the domain is registered, not the DNS host) and delete the DS / DNSSEC record. This unsigns the delegation so validators stop expecting signatures. Allow up to the parent zone's TTL for it to clear, then sites come back.
  3. Or re-establish a correct chain at the new hostEnable DNSSEC at the new DNS provider, let it generate a DNSKEY, then publish the matching DS (correct key tag, algorithm, digest type) at the registrar. The DS must correspond to the live signing key — mismatched values are the whole problem.
  4. Fix expired signaturesIf RRSIGs are stale, force a re-sign on the authoritative server (or have the managed provider re-sign the zone). Then verify expiration dates with 'dig +dnssec example.com' and check the RRSIG validity window covers now.
  5. Never half-migrate a signed zoneWhen changing DNS hosts on a DNSSEC domain, either pull the DS first (then migrate, then re-sign) or use a coordinated rollover. Moving nameservers with the old DS still live guarantees this outage.

Stop it recurring

Before changing nameservers on a signed domain, remove the DS at the registrar first and wait for the parent TTL to expire.

Related errors

ERR_NAME_RESOLUTION_FAILED

medium

Chrome couldn't turn the hostname into an IP because the resolver was unavailable or returned a stale answer.

DNS_PROBE_FINISHED_NXDOMAIN

critical

NXDOMAIN means the domain name couldn’t be resolved to an IP — the browser literally can’t find your server.

DNS Server Not Responding

medium

Your OS can't reach the resolver it's configured to use, so no lookups complete at all.

SERVFAIL DNS Response Code

high

The resolver tried to answer but couldn't get a valid response, usually from broken authoritative DNS or DNSSEC.