DNSSEC config error

god · February 2, 2019, 9:42am

I have multiple domains on my box, and I have configured DNSSEC for all that support it, except for one domain, my only .be domain. I am 100% sure the config is correct and have tried deleting and re-entering the record, trying to use the bulk record format etc. But I still get the following error message:

This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server. It may take several hours for public DNS to update after a change. If you did not recently make a change, you must resolve this immediately by following the instructions provided by your domain name registrar and provide to them this information…

Anyone have any ideas as to a possible fix?

Thanks!

alento · February 2, 2019, 10:00am

How long ago did you make the change? DNSSEC is one thing that does not always update instantly.

god · February 2, 2019, 10:03am

I’ve been trying to configure it over the past 5 days or so. It’s usually being left more than 24hrs between changes. Still no luck.

alento · February 4, 2019, 2:15am

If you’d be willing to provide the .be domain name in PM I could test some things.

Also if you could provide one or more of the domain names that work to establish a base line.

god · February 4, 2019, 3:02am

Thanks alento!

The domain i’m having trouble with is jensz.be

Domains I already have DNSSEC working on include jensz.me, jensz.pw, achlys.ch

alento · February 4, 2019, 4:08am

And to confirm, it is still showing the same error on the status page?

god · February 5, 2019, 4:30am

Yep I still get the error.

alento · February 5, 2019, 11:54am

One of the tools I would like to check with is down for maintenance until next week.

The other tools that I have checked with all show that DNSSEC is enabled and functioning properly.
I am not exactly sure where to go to from here …

just4t · February 5, 2019, 12:15pm

https://viewdns.info/dnssec/?domain=jensz.be

god · February 7, 2019, 7:06am

I’m still seeing the error on the status page, but if other tools are saying that it’s configured correctly I guess i’ll just leave it as is and ignore the error. Thanks for all your help guys!

ridesnow · July 10, 2020, 3:21am

same sitation here:

This domain's DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine's DNS server. It may take several hours for public DNS to update after a change. If you did not recently make a change, you must resolve this immediately by following the instructions provided by your domain name registrar and provide to them this information:

but all online DNSSEC testers is all-around green. for 2+ months, so seems like miab dnssec tester doing something wrong?..

https://dnssec-debugger.verisignlabs.com/carve.ru