[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live)

[Help](/c/help/9)

# Vercel broken DNSSEC chain on .tech domain blocking Google Workspace verification

10 views · 0 likes · 1 post


Megalucho34 Ops (@megalucho34-ops) · 2026-03-27

**Domain:** `zentialia.tech` (purchased through Vercel)

**Plan:** Hobby

**Issue:** Broken DNSSEC chain blocking all DNS verification

## Problem Description

I purchased the domain `zentialia.tech` through Vercel about 3 weeks ago. For the past 2 days I have been trying to verify this domain in Google Workspace but the verification keeps failing — both via `TXT` record and `CNAME` record.

I ran a DNSViz analysis and it clearly shows a **broken DNSSEC chain of trust**![:slight_smile:](https://emoji.discourse-cdn.com/unicode/slight_smile.png?v=15 ":slight_smile:")

*   There is a **stale DS record** in the `.tech` parent registry that points to **DNSKEY id=28487**, which no longer exists in Vercel’s nameservers.
*   This orphaned `DS` record causes DNSSEC-validating resolvers to return `SERVFAIL` when querying any record for `zentialia.tech`.
*   As a result, Google cannot see my `TXT` or `CNAME` verification records, even though they are correctly added in the Vercel DNS dashboard.

## Current vs Expected Behavior

*   **Current:** Any DNS query to `zentialia.tech` returns `SERVFAIL` on DNSSEC-validating resolvers. Google Workspace verification fails with “verification could not be completed.”
*   **Expected:** The `DS` record in the `.tech` registry should match the active `DNSKEY` in Vercel’s nameservers (or DNSSEC should be properly disabled), allowing DNS queries to resolve normally.

## What I’ve Tried

1. Added `TXT` record: 
```bash
google-site-verification=xDemDSSfK4bGaoKN4qb1pjdhEjPBQeEEWbqUOr42xJA
```
— already present for 2 days
2. Added `CNAME` record: 
```bash
yab3sivjwj27 → gv-4cnvptudvenckp.dv.googlehosted.com
```
— already present
3. Both verification methods fail because of the underlying DNSSEC issue
4. The Vercel dashboard does not expose any option to manage or disable DNSSEC

## What Needs to Be Done

*   The **orphaned DS record for `zentialia.tech` needs to be removed from the `.tech` registry** by whoever manages the registrar backend (Name.com / Vercel). This cannot be done by the user through the Vercel dashboard.
*   Could someone from the Vercel team please remove the stale `DS` record for `zentialia.tech` from the `.tech` registry? This would restore the DNSSEC chain of trust and allow Google Workspace verification to succeed.

Thank you!

tags: 
```html
<!DOCTYPE html><html data-beasties-container><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><title>Domain Names, Registration, Websites &amp; Hosting | name.com</title>... (rest of HTML content) ...
```