Is your domain refusing to load, even though everything appears to be set up correctly? You might be experiencing a DNSSEC configuration conflict. This article walks you through identifying and resolving DNSSEC SERVFAIL errors so your website and email start working again.
What’s Happening to Your Domain?
When you visit your website or send emails, you might notice:
- Your site won’t load in any browser
- Email bounces or fails to send
- SSL certificates won’t install or keep expiring
- DNS lookup tools show “SERVFAIL” responses
These symptoms usually point to a DNSSEC mismatch — a technical conflict between your domain’s registry settings and your hosting configuration.
Why DNSSEC Causes Problems with DomainsFoundry
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records for extra security. Whilst this sounds beneficial, DomainsFoundry’s shared hosting platform doesn’t support DNSSEC — and this is standard across most shared hosting providers.
The problem occurs when your domain has DNSSEC partially enabled:
- DS records remain active at your domain registry (.uk, .com, etc.)
- DNSKEY records are missing from DomainsFoundry’s nameservers
- DNS validators see this mismatch and refuse to resolve your domain
Think of it like having a lock but no key — the security system blocks access entirely rather than letting traffic through.
When Does This Happen?
This issue typically appears after:
- Transferring your domain from a provider that used DNSSEC
- Pointing to DomainsFoundry nameservers without disabling DNSSEC first
- Registering a new domain where DNSSEC was enabled by default
- Incomplete DNSSEC removal during a previous configuration change
Check If You Have a DNSSEC Mismatch
Before contacting support, you can confirm whether DNSSEC is causing your problems.
Quick Symptoms Checklist
✓ Domain worked fine on your previous hosting
✓ Nameservers are correctly pointed to DomainsFoundry
✓ DNS propagation time (24 hours) has already passed
✓ Other domains on the same hosting work normally
If all of these are true, DNSSEC is likely the culprit.
Technical Verification (Optional)
If you’re comfortable with command-line tools, run these checks:
Look for DS records at the registry:
dig DS yourdomain.co.uk
Look for DNSKEY records on the nameservers:
dig DNSKEY yourdomain.co.uk +dnssec +cd
What you’re looking for: DS records present, but DNSKEY records absent. This confirms the mismatch.
(Don’t worry if you’re not familiar with these commands — our support team can check for you.)
How to Resolve the Issue
DomainsFoundry support will remove the problematic DS records from your domain registry. Here’s how to get this sorted:
Step 1: Contact DomainsFoundry Support
Visit DomainsFoundry Support and submit a ticket with:
- Your domain name (e.g., yourwebsite.co.uk)
- The problem: “My domain isn’t loading due to DNSSEC SERVFAIL errors”
- Your request: “Please remove DS records from the registry”
Step 2: We’ll Handle the Registry Request
Our technical team will:
- Verify the DNSSEC configuration
- Contact your domain registry directly
- Request DS record removal on your behalf
You don’t need to do anything else during this stage.
Step 3: Wait for Propagation
- Registry processing: 24–48 hours for the registry to action the removal
- Global DNS propagation: Another 24–48 hours for the changes to spread worldwide
- Total time: Most domains resolve within 2–3 days
Your domain will then operate as a standard, non-DNSSEC domain — which is perfectly normal and secure.
What “Insecure” Means (and Why It’s Fine)
Once DS records are removed, DNS tools may label your domain as “Insecure”. Don’t panic — this is misleading terminology.
“Insecure” in DNSSEC terms simply means your domain isn’t using DNSSEC signing. The vast majority of websites operate this way, including most major platforms.
Your Website Is Still Secure
Your site’s actual security comes from:
- SSL/TLS certificates (the padlock symbol in browsers)
- Secure hosting infrastructure at DomainsFoundry
- Strong passwords and authentication
- Regular software updates for WordPress, plugins, etc.
DNSSEC is a DNS-layer security feature. Removing it doesn’t affect your website security, performance, or functionality in any way.
Troubleshooting & FAQs
My domain still won’t load after 72 hours. What now?
Contact DomainsFoundry support again. Some registries take longer to process changes, or there may be a separate DNS issue we can investigate.
Will this affect my email service?
DNSSEC errors can stop email working entirely. Once resolved, your email will resume normal operation — though you may need to resend any messages that bounced during the outage.
Can I add DNSSEC back later if I want it?
Only if you move to a hosting environment where you have full DNS control, such as a VPS or dedicated server. Shared hosting platforms (ours included) don’t support DNSSEC configuration.
How do I avoid this problem with future domains?
When registering new domains or changing nameservers, check whether DNSSEC is enabled at your registrar. Disable it before pointing to DomainsFoundry nameservers. If you’re unsure, just ask us first.
Does removing DNSSEC affect my search engine rankings?
No. Search engines don’t rank domains differently based on DNSSEC status. Your SEO remains completely unaffected.
Need Assistance?
If you’re experiencing DNSSEC SERVFAIL errors, contact DomainsFoundry support and we’ll sort out the DS record removal for you.
