Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
AWS Instances Failing with DNSSEC Resolution Error - Need Help!
Hello everyone,
I’m currently experiencing an issue with my AWS Servers failing during DNS tests with DNSSEC enabled.
Here’s what I’ve done so far:
Enabling DNSSEC:
- I followed the standard procedure to enable DNSSEC on my nodes.
- Steps Followed to enable DNSSEC: https://aws.amazon.com/blogs/networking-and-content-delivery/configuring-dnssec-signing-and-validation-with-amazon-route-53/
Running delv:
- I ran the delv command from the machine to test the DNSSEC validation.
- command I used: delv -4 -t a internetsociety.org +cd +mtrace +vtrace Broken Trust Chain:
- After running the delv command, I received an error indicating a broken trust chain.
TCPDump Capture:
- To further investigate, I took a TCPDump capture. From the capture, it appears that the resolver (mention the IP of the resolver here) is not capable of running DNSSEC queries.
Despite these steps, I’m still facing issues. I’m not sure what I’m missing here. Has anyone encountered a similar issue or does anyone have any suggestions on what I could try next?
Thanks, Sunil Kumar S
- Newest
- Most votes
- Most comments
-> Verify DNSSEC is enabled correctly in Route 53: -> Make sure you followed all the steps to enable DNSSEC signing for your hosted zone, including creating a key-signing key (KSK) and establishing a chain of trust. -> Check that the status of the KSK is "Enabled" and there are no "Action needed" or "Internal failure" errors. -> Confirm the chain of trust is set up properly: -> After enabling DNSSEC, you need to create a DS record in the parent zone with the information Route 53 provides. This establishes the chain of trust. -> Verify the DS record created in the parent zone matches the one provided by Route 53. Even a small mismatch can break the chain of trust. -> Allow time for DNSSEC changes to propagate: -> After enabling DNSSEC, wait for at least the previous zone's maximum TTL before testing. This allows unsigned records to be flushed from resolver caches. -> Monitor for any customer issues for a couple weeks after enabling, as some network devices may have problems with larger DNSSEC responses. -> Check your VPC DNS resolver settings: Make sure DNSSEC validation is enabled for the VPC. You can do this in the Route 53 Resolver. -> If the VPC resolver does not have DNSSEC validation on, it will not be able to properly validate signed responses, leading to SERVFAIL. -> Analyze the tcpdump in more detail: -> Look for any SERVFAIL responses coming back from the resolver for DS or DNSKEY record queries. This indicates the chain of trust check is failing. -> Check if the client subnet (ECS) option is present in the queries. Some resolvers may not support it with DNSSEC. -> See if there are any truncated UDP responses that should fall back to TCP but don't. This can break DNSSEC.
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-troubleshoot.html https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html https://benlimmer.com/2023/08/14/fix-route53-dns-propagation-after-transfer/ https://repost.aws/knowledge-center/route53-troubleshoot-dnssec-configuration
PS: Please rate helpful answers and mark as answered.
Relevant content
- asked 4 years ago
- asked 2 years ago
