The same DNSSEC transfer issue has just happened to me. I am far from being a pro network engineer and it took me a while to troubleshoot the problem. Thanks to Patrick's excellent answer, I'm back online and I'd like to document the practical aspects of my encounter here, hopefully to help others and the future me.
The story goes like this. I used to have my personal domain with Google Domains for a several years and it was all good, until suddenly they asked me for a proof of my identity:
Collect all of the following documents:
- A bank statement or utility bill that includes your billing address
- Your non-expired government issued driver’s license, identification card, or passport information page
What a surprise from Google Domains! For the first time in over a decade of my domain ownership I got asked for something like that. And I had to act quickly, as was instructed in the email:
Unfortunately, if we are unable to verify you information within 10 days, your Domain may be suspended.
Naturally, I had decided to transfer my domain somewhere else ASAP, and that's how I ended up with GoDaddy. I used them once before, so I thought I'd quickly churn over and then figure out what to do next.
Little did I know it might also have been a good idea to disable DNSSEC before leaving Google Domains. Two days later, my domain was still resolving to NXDOMAIN, and I began investigating what was going on. DnsViz indicated the issues with DNSSEC and incorrect/missing DS key.
The thing is, if you use GoDaddy's own nameservers, their basic DNS hosting tier doesn't allow editing DS entries. Apparently, they had copied the old DS record from Google Domains and now it was defunct and stuck in limbo. I'd have to upgrade to their Pro tier to use their DNSSEC features, which wasn't something I originally planned for.
Alternatively, if you use GoDaddy as only a registrar and host your domain DNS records somewhere else, then GoDaddy allows you to edit or remove DS records.
After a quick search for a free DNS hosting provider, I picked Cloudflare. I created a free account with them, provisioned the DNS records for my domain and made a change in my GoDaddy account to use Cloudflare's nameservers.
Then I enabled DNSSEC at Cloudflare, removed the old DS entry and added a new one at GoDaddy's (steps), and 10 minutes later my domain started to resolve again.
So far, Cloudflare has been incredible. I've known their name before because I've been using their 1.1.1.1 and DNS-over-HTTPS services (with OpenWrt and Pi-hole) for quite a while and it's been great. This however is the first time I'm using their cloud DNS hosting infrastructure and it surely stands up to the hype.
