(SOLVED) DNSSEC and Nameserver glue records issues using External nameserver

I found the threat about NameCheap and DS record throwing errors at DNSSEC. With “The DS RRset for the zone included algorithm 8 (RSASHA256), but no DS RR matched a DNSKEY with algorithm 8 that signs the zone’s DNSKEY RRset.”

Solved it by at NameCheap to delete the algorithm 8 DS record.

Rob Oudendijk

Always disable DNSSEC when changing dns records at the Registrant.
Renable it after the propagation and when all is OK, depending on the TTL.

1 Like

I have deleted my DNSSEC key at my registrar, but see that my DNSKEYs are still being returned when I do a DNS check. My registrar says that DNSSEC is disabled. Is that right if DNSKEYs are still being returned?

There is a TTL when making changes at the registrar, in seconds. This is a time to live, i.e. time when it is expected the changes to propagate. Check the value. It might be as much as 1 or 2 days, depending on the DNS provider.