Vercel broken DNSSEC chain on .tech domain blocking Google Workspace verification

Help
,
1

Domain: zentialia.tech (purchased through Vercel)

Plan: Hobby

Issue: Broken DNSSEC chain blocking all DNS verification

Problem Description

I purchased the domain zentialia.tech through Vercel about 3 weeks ago. For the past 2 days I have been trying to verify this domain in Google Workspace but the verification keeps failing — both via TXT record and CNAME record.

I ran a DNSViz analysis and it clearly shows a broken DNSSEC chain of trust:slight_smile:

  • There is a stale DS record in the .tech parent registry that points to DNSKEY id=28487, which no longer exists in Vercel’s nameservers.
  • This orphaned DS record causes DNSSEC-validating resolvers to return SERVFAIL when querying any record for zentialia.tech.
  • As a result, Google cannot see my TXT or CNAME verification records, even though they are correctly added in the Vercel DNS dashboard.

Current vs Expected Behavior

  • Current: Any DNS query to zentialia.tech returns SERVFAIL on DNSSEC-validating resolvers. Google Workspace verification fails with “verification could not be completed.”
  • Expected: The DS record in the .tech registry should match the active DNSKEY in Vercel’s nameservers (or DNSSEC should be properly disabled), allowing DNS queries to resolve normally.

What I’ve Tried

  1. Added TXT record:
google-site-verification=xDemDSSfK4bGaoKN4qb1pjdhEjPBQeEEWbqUOr42xJA

— already present for 2 days
2. Added CNAME record:

yab3sivjwj27 → gv-4cnvptudvenckp.dv.googlehosted.com

— already present
3. Both verification methods fail because of the underlying DNSSEC issue
4. The Vercel dashboard does not expose any option to manage or disable DNSSEC

What Needs to Be Done

  • The orphaned DS record for zentialia.tech needs to be removed from the .tech registry by whoever manages the registrar backend (Name.com / Vercel). This cannot be done by the user through the Vercel dashboard.
  • Could someone from the Vercel team please remove the stale DS record for zentialia.tech from the .tech registry? This would restore the DNSSEC chain of trust and allow Google Workspace verification to succeed.

Thank you!

tags:

<!DOCTYPE html><html data-beasties-container><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><title>Domain Names, Registration, Websites &amp; Hosting | name.com</title>... (rest of HTML content) ...