Christopher Lentz | October 16, 2014 10:39 AM
It is one of the hardest lessons to learn about DNS and luckily few people have to deal with it. However, if you have had issues viewing your website from certain places and WiFi networks it might not be their fault completely. Recently, many of the larger DNS providers have switched to only accepting signed and keyed DNS to prevent DNS Poisoning. This change has caused lots of issues for some website owners who had important DNS entries missing or incorrect.
The actual problem with this change is that there was no way to notify potentially affected websites about their incorrect DNS entries. It took us a while to find the issue because it was a change we didn't even know was happening. The new reliance on DNSSEC by the major DNS providers means that a website zone must have both a DS and a DNSKEY entry for their zone and they must match. If they do not match, the DNS provider will not add the rest of your DNS entries to their servers. This means to their customers, your website does not exist.
Fixing the problem can be simple or complex depending on the route you decide to go. The first, and most simple way to resolve the issue, is to remove any DS entries at the parent zone. This can usually be found at the place you registered your domain, otherwise known as your registrar. The second way requires moving all your DNS to your own DNS servers. On your new DNS servers, you will need to create the DS and DNSKEY entries and ensure that they match. The third and final option is to create the DS and DNSKEY entries if your host allows DNSSEC. For Amazon Route 53 customers, I am sorry to say that DNSSEC is not available.
DNS is complex all by itself, adding issues like this into the mix can really but a wrench in any business owners day. Even if you think everyone can view your site, check your current DNS status with this tool from VeriSign (http://dnssec-debugger.verisignlabs.com).