Moved your website to a new host or changed nameservers, and now your domain is offline? If you see a SERVFAIL error, the cause is almost always a broken DNSSEC “chain of trust.”
This guide explains exactly why this failure happens and provides the 5-step procedure to migrate your domain or hosting safely. We will cover how to properly disable the DS record, why you must wait 48 hours, and how to re-enable DNSSEC correctly after the move to prevent any downtime.
How to Fix DNSSEC-Related Migration Failures
A step-by-step guide to avoiding the SERVFAIL outage when moving your domain or hosting.
Updated: October 2025
You moved your website to a new host, changed your nameservers, and now your site is offline. Worse, it seems to work for you but is broken for many visitors. This is a common and confusing problem. The cause is often DNSSEC.
DNSSEC (Domain Name System Security Extensions) protects your domain by creating a "chain of trust." When you migrate, you often break this chain. This guide explains why it breaks and provides the exact 5-step procedure to migrate safely without downtime.
Understanding the DNSSEC Components
DNSSEC relies on a few special DNS record types to create its chain of trust. Understanding them helps clarify why the migration process is so specific.
DS Record (Delegation Signer)
This is the "fingerprint" record. It lives at the registrar (in the parent TLD, like .com). It points to the active key on your host.
DNSKEY Record (DNS Public Key)
This is the public "key" itself. It lives at your hosting provider (or wherever your nameservers are). The DS record must match this key.
RRSIG Record (Resource Record Signature)
This is the digital signature for your *other* records (like A, CNAME, MX). It proves they are authentic and have not been altered.
NSEC Record (Next Secure)
This record proves that a specific DNS record does *not* exist. It prevents attackers from tricking resolvers with fake subdomains.
Why the Migration Fails: A Broken Chain
DNSSEC works by matching two pieces of data:
- The DNSKEY Record: A public key stored at your hosting provider.
- The DS Record: A "fingerprint" of that key, stored one level up at your domain registrar (who passes it to the TLD, like .com).
A validating resolver (like Google's 8.8.8.8) checks that the DS "fingerprint" at the registrar matches the DNSKEY "key" at the host. If they match, the chain is trusted.
The "Working" vs. "Broken" Chain
WORKING CHAIN (Before Migration)
BROKEN CHAIN (After Migration)
When you move to a new host, your new host generates a new DNSKEY. But your registrar still has the old DS "fingerprint" on file. The mismatch causes validating resolvers to return a SERVFAIL error. To them, your site is broken.
Two Types of Migration Blocks
Your migration can be stopped in two different ways. It is important to know which one you are facing.
| Block Type | What It Is | What It Stops | How to Fix |
|---|---|---|---|
| Technical Block | A DNSSEC validation failure. The DS and DNSKEY records do not match. | DNS Resolution. Causes a SERVFAIL error. Your site appears offline. | Follow the 5-step procedure in this guide. (Disable, Wait, Migrate, Re-enable). |
| Administrative Block | A registrar policy or ICANN rule. (e.g., "Domain Lock" or "60-Day Transfer Lock"). | Domain Transfer. Your new registrar cannot take ownership of the domain. | Log in to your current registrar and turn off the "Domain Lock" or "Registrar Lock". |
The 5-Step Procedure for a Safe Migration
Follow these five steps exactly. Do not skip any. Rushing this process is what causes the outage.
Deactivate DNSSEC at Your Registrar
Log in to your domain registrar (the company you pay for your domain name, like GoDaddy). Find the DNSSEC settings and turn it off. This action tells the TLD registry to delete the DS record. This is the only thing you should do in this step.
Wait 24-48 Hours
This is the most important step. Do not skip it.
You must wait for the old DS record's Time-to-Live (TTL) to expire from all DNS caches worldwide. This can take 24 to 48 hours. Your registrar's dashboard might say "complete" in 90 minutes; ignore that. Trust only the 24-48 hour rule.
Primary Causes of DNSSEC Migration Failure
Verify the DS Record is Gone
Before you do anything else, you must verify that the DS record has been removed from the parent TLD. Do not trust your registrar's dashboard. Use an external tool.
Open a command line or terminal and run this command (replace yourdomain.com):
dig DS yourdomain.com +trace
What to Look For:
GOOD (DS is gone): You will see your domain's SOA record, but NO DS record, from the TLD server.
yourdomain.com. 86400 IN SOA ns1.oldhost.com. ...
BAD (DS is still active): You will see a DS record line. DO NOT PROCEED.
yourdomain.com. 86400 IN DS 60121 13 2 D826B9...
Look at the results from the TLD nameservers (e.g., e.gtld-servers.net.). You are successful when you see no DS record being returned from those servers.
Perform the Migration
Once you have verified the DS record is gone, your domain is in a "clean" (but temporarily insecure) state. It is now safe to make your changes without causing a SERVFAIL outage.
- If changing hosting: Log in to your registrar and change your NS records to point to your new host.
- If changing registrar: Unlock your domain and initiate the transfer using your EPP/Auth code.
Re-enable DNSSEC (The Correct Way)
After your migration is complete and your new nameservers are active, you must re-secure your domain. The order is very important.
- First, enable DNSSEC at your new host. This will generate a new DNSKEY.
- Second, get the new DS record from your new host. It will provide a Key Tag, Algorithm, Digest Type, and a long Digest string.
- Third, add the new DS record at your registrar. Log in to your registrar, find the DS record management, and paste in the new values from your host.
Doing this in the wrong order will cause another outage.
Troubleshooting & Common Questions
I waited 48 hours, but `dig` still shows a DS record. What now?
This can happen if a DNS resolver in the `+trace` path has a very high cache. First, double-check your registrar's dashboard to ensure DNSSEC is 100% disabled. If it is, and the `dig` command still shows a DS record from the TLD servers (like a.gtld-servers.net.), you must contact your registrar's technical support. Tell them "The DS record for my domain is still published at the registry level even after I disabled DNSSEC."
What if my new host does not support DNSSEC?
If your new host does not support DNSSEC, you simply follow steps 1-4. You will skip Step 5. Your domain will function correctly, but it will not have the added protection of DNSSEC. When choosing a host, it is highly recommended to select one that supports this feature.
My registrar and host are the same company. Does this change anything?
This can simplify things. Some providers may automatically manage the DS record when you use their hosting and domain services. However, when you are *migrating away* from them, this automation can fail. The 5-step procedure (especially disabling DNSSEC first) is still the safest, most reliable method to prevent an outage, even if your services are bundled.
What are some tools to check my DNSSEC status?
While dig is the most direct tool, several web-based tools provide excellent visual reports. Good options include:
- DNSViz: Shows a complete visualization of the chain of trust.
- Verisign DNSSEC Debugger: A simple tool that checks your records from the registry.
- Google's DNS Tester: Checks how Google's public DNS (8.8.8.8) resolves your domain.
Your Custom Migration Checklist
Use this tool to generate a checklist for your specific situation.
Checklist: Migrating Hosting Only
Follow this plan to change nameservers (e.g., GoDaddy to Cloudflare) without downtime.
- Step 1: At your Registrar (GoDaddy), find DNSSEC and turn it OFF.
- Step 2: WAIT 24-48 HOURS.
- Step 3: Verify with
dig DS yourdomain.com +tracethat no DS record exists. - Step 4: At your Registrar (GoDaddy), change your NS records to point to your new host.
- Step 5 (Wait for NS): Wait for new nameservers to be active (usually a few hours).
- Step 6 (Re-enable):
- Enable DNSSEC at your new host.
- Get the new DS record values from your new host.
- Add the new DS record values at your Registrar (GoDaddy).
Checklist: Migrating Registrar Only
This is safer, but a plan is still needed. You are keeping your DNS host (e.g., Cloudflare) the same.
- Recommended Path (Safe): Follow the full "Disable-Wait-Migrate-Re-enable" procedure. It guarantees no issues.
- Advanced Path (Risky):
- Confirm your new registrar fully supports DNSSEC and can import existing DS records.
- At your old registrar (GoDaddy), disable the "Registrar Lock".
- Initiate the transfer at the new registrar.
- After transfer, immediately log in to the new registrar and confirm the DS record is correct. If it is missing, add it manually from your DNS host.
Checklist: Migrating Both Hosting and Registrar
You must follow the full procedure. This is the highest-risk migration.
- Step 1: At your old registrar (GoDaddy), find DNSSEC and turn it OFF.
- Step 2: WAIT 24-48 HOURS.
- Step 3: Verify with
dig DS yourdomain.com +tracethat no DS record exists. - Step 4 (Migrate):
- At your old registrar (GoDaddy), disable the "Registrar Lock" and get your EPP/Auth code.
- At your new registrar, start the transfer.
- This may take several days. Your site stays online because your old nameservers are still working.
- Step 5 (After Transfer): Once the registrar transfer is 100% complete, log in to your new registrar and change the NS records to point to your new host.
- Step 6 (Re-enable):
- Enable DNSSEC at your new host.
- Get the new DS record values from your new host.
- Add the new DS record values at your new registrar.