Skip to main content
Skip table of contents

2604 - Troubleshooting DNSSEC in NIOS


You have started as a new DNS administrator at a company. DNSSEC has just been implemented in your environment.
Users are reporting their inability to access various public domains, In the ticket you're currently handling the user is reporting their inability to access while being able to access, Please investigate the problem and fix it.

Estimate Completion Time

  • 45 to 60 Minutes






Grid Manager UI




  • 2009: Configuring NIOS DNS Services

  • 2023: Configuring NIOS DNS Zones

  • 3011: DNS Troubleshooting Methodology

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png


Task 1: First Ticket

  • You're investigating the reported problem, first you need to verify the problem exists then understand what is causing the problem in order to fix it.

    1. Execute the following dig commands on the Jump-Desktop (

      dig @ A
      dig @ A

    2. Which query failed?

    3. Try with DNSSEC disabled and note the difference. What is the root cause?


Task 1: First Ticket

  • Root cause

The correct anchor is installed, but the "responses must be secure" option is enabled.

  • Detailed Analysis

We are able to lookup secure domain names such as and However, when querying for other insecure domains such as or, we get SERVFAIL.
This is a big problem as the vast majority of the domains have yet to be signed. Examples shown the following figures.

On the Grid Master IBGM (, navigate to Administration → Logs → Syslog, and we can see the syslog messages as shown in following figure that indicates the error is rooted in the must-be-secure option.

We can verify this misconfiguration by navigating to Data Management → DNS, Toolbar → Grid DNS Properties → DNSSEC, scroll down to the Trust Anchor section, and see that the Responses Must Be Secure option is enabled for the root zone, as shown in the following figure.
This configuration instructs the validating resolver to treat all sub domains of root to be secure, which would be every single domain name, and is the root cause of our issue. Uncheck the option, save, and restart services to fix the issue.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.