Google Cloud Professional Cloud Network Engineer — Question 31
You are disabling DNSSEC for one of your Cloud DNS-managed zones. You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone. You receive reports that DNSSEC validating resolves are unable to resolve names in your zone.
What should you do?
Answer options
- A. Update the TTL for the zone.
- B. Set the zone to the TRANSFER state.
- C. Disable DNSSEC at your domain registrar.
- D. Transfer ownership of the domain to a new registrar.
Correct answer: C
Explanation
The correct action is to disable DNSSEC at your domain registrar because the DS records may still be present there, causing validation failures. Updating the TTL, setting the zone to TRANSFER, or transferring to a new registrar will not resolve the underlying issue related to the existing DS records at the registrar level.