How to disable DNSSEC on a domain

By , April 3, 2018

There are plenty of tutorials around on how to enable DNSSEC on a domain name, every once in awhile you may find yourself in a situation where you want to turn it off.

When that happens it is often misunderstood, and people think that by simply removing the keys from their zone and reloading it as a clear, unsigned zone, they’ve disabled DNSSEC.

The problem then encountered is that DNSSEC aware resolvers are still sending queries for your zone expecting a DNSSEC signed response and then fail validation when they don’t get one, why?

Because it’s the presence of a domain’s DS record¬†in the parent that signals the availability of DNSSEC signed responses to resolvers. If you want to turn off DNSSEC, you need to remove that DS record from the parent zone.

In most cases, this is your domain’s Top Level Domain (TLD), such as .COM/.NET/.CA or one of the new TLDs like .WTF.

Typically, you add, modify or remove DS records from your domains’ parent zone via your domain’s Registrar.

Leave a Reply