Could this be due to DNSSEC?
Yes, but impossible to be sure as you do not give the domain name involved, not even the TLD (rules change about transfers and DNSSEC data depending on the TLD). Debugging DNSSEC-related problems in the DNS is already a complicated task when you have the name of the broken domain, but without it, this becomes an impossible task.
Even "domain transfer" is not very clear so the answer below will only be generic explanations covering most normal cases.
DNSSEC needs ongoing maintenance
Whatever DNS provider you use to handle your nameservers, if you enable DNSSEC you need to understand that you will have ongoing maintenance that someone will need to do:
only directly inside the nameservers, signatures must be regenerated and, for good security practices, keys should be rotated, typically after a few months for ZSKs.
if you also change the KSKs (again good security practices, but typically counting in years and not months like a ZSK), it means you will need to change the DS record at the parent zone, which for now means giving this DS to the current registrar so that it forwards it to the registry which then publishes it (there are other schemes currently being cooked to try avoid the registrar in that case,
.DKand.CH/.LIhave or will have shortly such features)
So the above means: any kind of DNS provider change may have consequences. It is an hard problem, if not done at the correct pace and especially if the old provider does not cooperate. There are RFCs for guidances on that.
DNS provider is registrar, or not
When you buy a domain name, you go typically to a registrar, whose job is to register domain names. Then if you want it to resolve you need DNS service. Registrars are also often DNS providers (including for domain names not registered with them in some cases), but you can as well choose an outside DNS provider.
In that second case, the DNSSEC maintenance is more complicated. If your registrar is also your DNS provider and also maintain all DNSSEC records for you automatically, then you have less to worry of course, but you are also putting everything in the same basket, so it is a compromise to understand
A domain name transfer between registrars has no impact on DNS resolution
When a domain name is transferred between two registrars, there is no change in the nameservers used at least at the registry level (except of course for a couple of registries where the registrar can or is even forced to supply the nameservers list at transfer time, which results basically in the same thing as if the new registrar does a nameserver change right after the transfer has completed).
Which means that, as soon as the transfer is finished, the domain, now at a new registrar, still uses the same nameservers that it was using before the transfer, and hence if present previously, DNSSEC should continue to work in the exact same way.
With caveats:
if your DNS provider was your previous registrar from which you just transferred out, based on the contract you signed with it, it may or may not stop providing DNS service for your domain now at a second registrar. Good registrars will, even in this case, at least continue to provide service for some days, so that you have time to switch properly. If you are in a situation where the DNS service is immediately cut off after transfer, you will soon be in a world of pain
if you asked your new registrar to change the nameservers during transfer, it should do the operation right after the transfer finished. But if the new nameservers are not set up exactly as the old ones, including what is related to DNSSEC and specially the
DNSKEYrecords, then as soon as the nameservers are changed your domain will (can) appear broken to validating resolvers that will produceNXDOMAINfor your domain because they will see theDSrecord in parent zone but noDNSKEYrecord anymore in the nameservers
Transferring a domain name with DNSSEC
Now this is where it depends a lot on TLDs.
With some registries, each registrar needs to be certified or at least checked for DNSSEC and the registry will prohibit transfers from a DNSSEC enable registrar to a non DNSSEC enabled one.
Some registries may prohibit transfers of DNSSEC enabled domains (in which case you first need to strip DNSSEC to go back to the insecure case, then transfer, then put back DNSSEC).
Some registries may strip DNSSEC related records (that is the DS record in their (registry) zone) during the transfer, specifically if the new registrar is not DNSSEC enabled, or has not used a specific switch requesting to keep the DNSSEC records during transfers.
There is a specific EPP extension to ease transfer of DNSSEC enabled domains: Key Relay Mapping for the Extensible Provisioning ProtocolHowever:
- it needs to be implemented by the registry. To the best of my knowledge this is only the case for SIDN, the
.NLregistry - the new registrar needs to use it
- the old registrar needs to cooperate
Which creates many conditions not often found.
A word on "propagation"
While everyone uses it in the DNS context, it is wrong.DNS is not top-down: when a change happen in a zone, this is not pushed down to all recursive resolvers (an impossible task anyway). On the contrary, the recursive nameservers will start to learn about the change in some given time, depending on both the content of their cache, and the TTL (Time To Live) values. Which is why changes can appear immediately, or after hours or days, depending on how you test, what you tested before, and from where.
You are mentioning Google DNS servers, which shows exactly what not to do: in case of DNS changes you need first to query the authoritative nameservers (starting from parent zone) to check if they have the expected values. Only after which you can start poking at various public recursive, but please remember there is a world outside of Google, so you can use as well 1.1.1.1 (CloudFlare), 9.9.9.9 (IBM+PCH), 80.80.80.80 (Freenom) or 64.6.64.6 (VeriSign), 208.67.222.222 (OpenDNS), among many others and depending on which entity you decide to send your data to. You could as well start by using your own local recursive nameservers, either on your own box, on your LAN or on your ISP network.
You also have online troubleshooting tools:
- https://zonemaster.net/
- https://dnsviz.net/ which is specially good for DNSSEC as it presents chain of trusts and delegations as an image with nodes and links which makes understanding the situation far simpler than text output (and you can even install it locally in fact)
What could have happened and what to do?
- The nameservers may have been changed and the new ones have different zone content; this immediately breaks DNSSEC because of lack of
DNSKEYrecord now. First action to solve the issue: go at registrar and remove DNSSEC material (theDSrecord) to have time to set up the nameservers again correctly - Registrars were changed and the
DSrecord was removed by registry or by new registrar. Your domain should then still resolve correctly, but you are not protected by DNSSEC anymore. First action to solve the issue: double check that your registrar handles DNSSEC (which means just being capable of sendingDSrecords to the registry) and ask your DNS provider to activate DNSSEC again on your domain - Probably many other cases, but they all depend on details you did not provide