Sometimes we might run into a DNS replication problem in the public domain.
This might be because of a DNSSec issue being partially replicated. I ran into an issue where I had disabled DNSsec but it was only partially replicated to Google DNS, so when querying Google DNS i only received SERVFAIL trying to resolve the domain in question. When looking further into this, I used the “dig” tool avaliable in Linux. (NSlookup is very limited when it comes to DNSSec)
We can query DNSSec parameters with the following DIG parameters:
dig DS yourdomain.com @8.8.8.8
The DNSSEC protocol consists fo two records, DS and DKEY. With this query we are able to see the “Delegation Signers” which shows the hash of the DNSKEY, as defined in RFC4034
If we want to disable DNSsec but this is only partially replicated, we receive “status: SERVFAIL” and we can tell there is an old DS record but these are not corresponding to you zone’s DNSKEY/RRSIG anymore.
In this case, you can flush Google’s public DNS cache here:
https://developers.google.com/speed/public-dns/cache
This solved my partially replicated DNSsec parameters. We can then start fresh without DNSsec and apply it later.
There is also a web based tool that is great for troubleshooting DNSsec: https://dnsviz.net/
We can also use the eminent DNS tools available at dnschecker.org