dns – Transferred .com domain without first disabling DNSSEC – what can be done?


it transpire that the previous registrar had applied DNSSEC records.

Normally a registrar does not do things by itself, at least it does not add DNSSEC records (that is typically DS data) unless advised so by the current owner of the domain.

How can this be resolved? Is there a way I can find out when previous entries will expire?

Go immediately to current sponsoring registrar and make it remove DS data at registry. After one day (because the TTL on DS records at .COM registry is one day) the problem will clear itself.

You may want to look at this other similar question here: Long propagation times after transferring a domain name and changing the NS records without disabling DNSSEC where I
answered with long explanations.

Of course, you have now learned a very valid lesson: DO NOT TRANSFER between registrars domain names that are DNSSEC enabled. This is an edge case that is currently not well addressed. There are various ways but not a real clear simple solution.
If you are not mastering DNSSEC it is probably better to remove it, wait “enough”, then transfer it. Otherwise, if you need to keep DNSSEC at all times you need to make sure that your nameservers stay the same and resolve DNSSEC the same during and after the transfer (which may be another good lesson to keep: using your registrar as DNS provider is not necessarily always a good idea, specifically here when you transfer out of it, in most cases it will stop operate the DNS service as soon as the domain leaves it; even if it does not, you then have the problems related to key management inside DNSSEC).

An even better registrar (but I am not sure I know one doing so) would detect, prior to attempt the transfer, that the domain is DNSSEC enabled and at least warn you about that. Until that happens unfortunately you need to double check that yourself before attempting a transfer.

The new provider is not using DNSSEC.

What does provider mean here, the new registrar or the new DNS provider (the registrar can be the DNS provider, but it is still two different jobs)?

Indeed, DNS providers need to explicitly support DNSSEC as they need more than just allowing some specific resource records in the zone file, they also need to maintain the keys and rotate them, compute the signatures either online or offline, etc.

But at the registrar level, at least in .COM, all of them are contractually required to support DNSSEC, because of their contract with ICANN. The specific job of a registrar regarding DNSSEC is just forwarding the data that the owner has input (like DS content) and send it to the registry. It is a one time job (except when you need to change the DS record of course, but in normal DNSSEC setups this happens every year or 2 years typically), so not a big problem.

It may be difficult to be 100% sure before using it if a registrar allows DNSSEC because even if they are all contractually required to do it (in gTLDs at least) it can be more or less simple (going from a fully automated UI that the owner can freely use, to having to contact customer service and send information over email and pray that the human being at the other end understands what it is about.)