Adding DS record to Cloudflare domain

I’m trying to enable DNSSEC on my domain. My registrar for this domain is Cloudflare. I’ve setup a server (mail-in-a-box) at I’ve got this all setup, and am trying to add a security enhancement (DNSSEC). Here’s my process:

  1. Collect the DS records information from mail-in-a-box. They dictate exactly what the record should be.

  2. Click “enable DNSSEC” on Cloudflare’s DNS tab (right below "Custom name servers, right above “CNAME Flattening”). It tells me “DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour.”

  3. Try to add the DS record in to Cloudflare’s DNS. I enter the relevant information from the mail server I’m trying to spin up: 3600 IN DS 20154 7 2 [digest] , which is what mail-in-a-box says to do. When I try to add that DS record, I see the error message “DNS Validation Error (Code 1004) DS records must not appear at a zone apex.”

Image for config/error message

  1. I’m launching this mail server at When I change the “name” field to box, I get the error message “DNS Validation Error (Code: 1004) DS record must have a corresponding NS record at”

How do I enable DNSSEC?

It looks like DNSSEC is not enabled for your domain. It’s in the DNS section of Scroll down past the DNS records.

This is not necessary. DS records go in the parent zone, not in the zone itself.

In your case, as Cloudflare is your registrar, they will add the records to the parent automatically. Just click the Enable DNSSEC button, and wait an hour before testing with your preferred tool. There is nothing else you need to do in the dashboard.


This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.