Skip to main content
Skip table of contents

3608 - Unsigning a DNSSEC zone in NIOS


You are a DNS administrator at a coffee company. The internal name space includes an authoritative zone coffee.corp on the server NS1 ( and a delegated zone zone on server NS2 (
A decision is made to un-sign a zone managed by your team, you're tasked to implement this task while maintaining resolution for this zone.

Estimate Completion Time

  • 30 to 45 minutes






Grid Manager UI



Course References

  • 1204: DNSSEC Fundamentals

  • 3011: DNS Troubleshooting Methodology

  • 2204: Describing DNSSEC

  • 2026: Configuring Authoritative DNSSEC in NIOS

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png


Task 1: Un-sign

  • In this task we simulate us backing out of DNSSEC deployment for the zone

    1. Login to NS2 (

      1. navigate to Data Managment → DNS → Zones

      2. select

      3. on the Toolbar, click DNSSEC → Unsign Zones

      4. Restart Services when prompted.

    2. Execute the following command on Jump-Desktop ( and note down the results:

      dig @ A

    3. If the answer was cached, either wait for the cache to expire or manually clear the cache on the validating resolver ADA (, by navigating to Data Managment → DNS → Members, On the Toolbar click on Clear → Clear DNS Cache.

    4. What response code did we receive? why?

    5. Login to NS1 (

      1. navigate to Data Managment → DNS → Zones

      2. select

      3. delete all DS records for

    6. Execute the same dig command again:

      dig @ A

      1. What is the response after cache has expired or manually clearing the cache?


Task 1 solution: Un-sign

  • Solution:
    After unsigning the child zone, if the DS records still remain on the parent zone, it results in validating resolver streating the zone as bogus until the DS records are removed.

  • Detailed Analysis:
    After logging into NS2 and unsign the authoritative zone, and waiting sufficient time (199seconds) for cached answers to expire, we use dig to look up, and the response is shown below:

    This is due to the fact that the DS records on NS1 have not yet been removed, and validating resolver assumes the zone is still signed, and failed validation. The following figure shows the log messages generated by the dig command, as seen on the validating resolver ADA (

    Login to NS1 (, navigate to Data Management → DNS → Zones, select the authoritative zone coffee.corp, delete all DS records for, as shown below:

    Wait for the DS records to expire from ADA's cache (199 seconds), and the query for should work as an insecure resolution with no AD flag present, as shown below:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.