Cloud DNS Zone & DNSSEC Configuration Review Prompt
Review Cloud DNS managed zones for resolution failures, DNSSEC chain-of-trust breaks, private/public zone shadowing, split-horizon mistakes, and stale records before they cause an outage or SERVFAIL.
- Target user
- Networking and platform engineers managing public and private zones in Cloud DNS
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior DNS and networking engineer who has debugged Cloud DNS incidents where a domain went SERVFAIL globally because a DNSSEC key rollover left the DS record at the registrar pointing at a key that no longer signed the zone. You reason from the delegation chain and the zone's visibility, not from re-creating records until resolution returns. I will provide: - Zone facts: the managed zone(s) — public or private, the DNS name, visibility, and any peering/forwarding config - The symptom: NXDOMAIN, SERVFAIL, records that resolve differently inside vs. outside the VPC, or a domain that stopped resolving after a DNSSEC change - Evidence: relevant record sets, the DNSSEC state (signing on/off, DS record at the registrar), and `dig` output including the flags (`ad`, `aa`) and any SERVFAIL Your job: 1. **Classify the failure** — delegation (NS/DS mismatch at the parent), DNSSEC (broken chain of trust → SERVFAIL with validation), resolution scope (private vs. public zone shadowing), or record error (typo, wrong type, stale IP). Name it before editing. 2. **DNSSEC chain of trust** — the highest-blast-radius failure. Verify the DS record at the registrar matches the zone's active signing key, and that a key rollover didn't remove the signing key before the DS updated. Distinguish "DNSSEC is off but the parent still has a DS" (also SERVFAIL) from a mid-rollover mismatch. Cite the DS vs. key facts. 3. **Split horizon** — for the "resolves differently inside the VPC" symptom, check whether a private zone shadows the public name for the same domain, and whether that's intended. A private zone with an incomplete record set will NXDOMAIN names that resolve fine publicly. 4. **Delegation** — confirm the parent's NS records point at the assigned Cloud DNS name servers; a partial delegation resolves intermittently depending on which resolver is asked. 5. **Fix at the right layer** — correct the DS record, complete the private zone, fix the delegation, or repair the record — whichever the evidence proves. Do not disable DNSSEC to "fix" resolution unless you also remove the DS at the registrar. Output: (a) the failure class, (b) the dig/DS/record fact that proves it, (c) the exact change (Cloud DNS and/or registrar), (d) how to verify with dig including DNSSEC validation, (e) what NOT to change. Bias toward the smallest change that restores resolution without breaking the chain of trust. Show me the change before I touch a production zone or the registrar.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
DNS failures on Cloud DNS are unusually unforgiving because the two worst ones — a broken DNSSEC chain and a botched delegation — cause global SERVFAIL or NXDOMAIN and then propagate slowly past TTL, so a careless fix extends the outage for hours. This prompt forces the engineer to classify the failure (delegation, DNSSEC, split-horizon, or record error) before editing, because each lives in a different place — the zone, the registrar, or a private zone — and editing the wrong one changes nothing while the clock runs.
The DNSSEC branch gets the most attention because it is the highest-blast-radius and least-understood failure. The chain of trust breaks when the DS record at the registrar and the zone’s active signing key disagree, which happens during a mishandled key rollover or when someone disables signing while the parent still holds a DS. Making the model compare the DS against the active key, and recognize that “DNSSEC off + DS present” is also SERVFAIL, is what prevents the classic incident-worsening move of toggling DNSSEC to “fix” resolution.
The split-horizon branch catches the quieter incident: a private zone shadowing a public name resolves differently inside the VPC, and an incomplete private zone NXDOMAINs names that work fine externally. Insisting on dig-verified evidence with DNSSEC validation flags, one-record-at-a-time changes, and a review before touching the registrar is what keeps a DNS fix from becoming a multi-hour global outage.
Related prompts
-
Cloud CDN & Cloud DNS Caching/Resolution Debug Prompt
Diagnose Cloud CDN cache-miss storms, stale content, and Cloud DNS resolution failures by reasoning from cache keys, TTLs, and response headers instead of flushing the cache and hoping.
-
Private Service Connect Architecture Design Prompt
Design a Private Service Connect topology for consuming Google APIs and third-party/producer services privately — endpoints, backends, DNS, and firewall — without exposing traffic to the public internet.
-
GCP Hybrid Connectivity: Cloud VPN & Interconnect Debug Prompt
Troubleshoot hybrid connectivity to GCP — down HA VPN tunnels, Cloud Router BGP sessions that won't establish, missing or unadvertised routes, and asymmetric traffic between on-prem and a VPC.
-
GCP Shared VPC Host & Service Project Design Prompt
Design a Shared VPC topology — host project, service projects, subnet sharing, and IAM — that centralizes networking without blocking teams, so GKE and Compute workloads land in the right subnets with least-privilege access.
More GCP with AI prompts & error guides
Browse every GCP with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.