Question
My domain resolves on some networks but not in others, and I've ruled out a firewall, network issue, and propagation. What might be causing the problem?
Answer
Domain owners typically enable DNSSEC at the registrar, and you can check this through one of two command-line methods.
The first method is whois:
whois domain.tld | egrep -i "DNSSEC|signed"
DNSSEC: signedDelegation
DNSSEC DS Data: 17775 8 2 E{REDACTED}6A
Entries like the above indicate that DNSSEC is enabled at the registrar.
The second method is via the dig command:
dig ds domain.tld +short
17775 8 2 E4{REDACTED} 2D7DD96A
No output would typically indicate that DNSSEC is not enabled.
If either of these checks shows that DNSSEC is enabled, it is most likely enabled at the registrar.
You can also check for the DNS key on the DNS server. cPanel & WHM supports DNSSEC when PowerDNS is in use.
dig domain.tld DNSKEY @10.2.34.14 +short
256 3 8 AwEAA{TRUNCATED}qrfLOz
257 3 8 AwEA{TRUNCATED}M=
If the dig query for the DNSKEY returns an error or no output, then DNSSEC is not functioning or set up on the DNS server.
Additionally, you can verify whether DNSSEC is enabled and functioning correctly via third-party websites such as this one:
Note that cPanel does not endorse, support, or sponsor any third-party website.
What do I do if DNSSEC is enabled at the registrar, but not on the server that is hosting DNS, or is otherwise not functioning?
If DNSSEC is not set up on the server, you should disable DNSSEC on the domain at the registrar (where the domain was purchased). Alternatively, you can rotate the dnssec key.