AWS Route 53 DNSSEC Issue

I just moved this domain away from the registrar one.com to AWS Route 53 (actually Gandi, but that’s a different story). However, when doing so, I got SERVFAIL when doing things like dig mx wendt.se @8.8.8.8, whereas dig +trace mx wendt.se worked just fine.

Apparently, Route 53 has partial support for DNSSEC, and others have ran into this issue before when moving domains under the TLD .se.

Tools used to hint at the real cause:

  • http://dnscheck.iis.se/
  • http://dnsviz.net/d/wendt.se/dnssec/
  • http://dnscheck.pingdom.com/?domain=wendt.se

The solution - for now - is to remove any DNSSEC keys for the domain, as described here:

  • https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-name-servers-glue-records.html
  • https://console.aws.amazon.com/route53/home#DomainDetail:wendt.se
  • Route 53 » Registered domains » click it » DNSSEC status (to the right)
This work by Fredrik Wendt is licensed under CC by-sa.