Adding DNSSEC DS and DNSKEY record - flags not accepted?

I am using VPS and ISPConfig, while the domain is on CloudFlare nameservers.
Currently my .hr (croatia) TLD registry does not have an DS field when I manage my domain with their interface, so my only option is to generate through ISPConfig and add the DS/DNSKEY directly to the CloudFlare DNS interface. verifies DNSSEC with a public key encrypted with RSASHA1-NSEC3-SHA1.

Type: IN DNSKEY 256 3 7 …
Type: IN DNSKEY 257 3 7 …

I cannot select flags 256 and 257 because they are red colored when I press the button “Add record”.

The given DS and DNSKEY for the domain by the Web hosting cannot be added.

DS-record: IN DS <KEY_ID> 7 1 … IN DS <KEY_ID> 7 2 …

; This is a zone-signing key, keyid 55502, for IN DNSKEY 256 3 7 …

; This is a key-signing key, keyid 60630, for IN DNSKEY 257 3 7 …

The Flags* is colored red. Why?

Please help.

Or, running “dig” for RRSIG I see the one from CloudFlare, moreover dig for DNSSEC keys I also see.

Maybe, just adding the “DS” record to the CloudFlare through their DNS interface is enough?


  • dig DNSKEY @localhost +multiline
  • dig A @localhost +noadditional +dnssec +multiline

I got all the needed recorcds.

/etc/bind/named.conf.local - I see the signed
/etc/bind/named.conf.options - I have the dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;

Now I have to wait for some time to pass to “flush” the DS key record on the TLD (.hr - Croatia), right?

If your registrar doesn’t support DNSSEC, then you can’t add DNSSEC to your domain. DS records have to be added to the parent, and for you, that would be .hr

1 Like

So, it means I have to send a complain to the ICANN because .hr domain registry cannot accept and has no option on the domain management/administration for the DNSSEC?

Which means, the parameters given from CloudFlare cannot be added and DNSSEC cannot be activated?

But why they tell us DNSSEC over .hr domain TLD is possible, while it is not? Either they held few workshops regarding the DNSSEC.

> Ako ste korisnik .hr domene potrebno je u administraciji domene (samostalno ili preko ovlaštenog registrara) upisati DS zapise (engl. delegation signer) i na taj način omogućiti korištenje DNSSEC-a. DS zapise korisniku domene osigurava pružatelj hosting usluge kod koga su udomljene web stranice.

> If you are a .hr domain holder it is necessary to enter DS ( delegation signer ) records in the domain administration, individually or through an authorized Registrar and thus allow the use of DNSSEC. DS records are provided to the domain holder by hosting services.

Can someone write me and any help how can I write back to them to make it possible over their DNS interface to add the needed and support that feature?

Found it!

I did not saw the button “Add DS record” in the interface.

Kindly, mark this topic as solved.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.