Cloudflare does not serve additional DNSKEY records

Cloudflare allows me to add DNSKEY records to my zone:

I also have DNSSEC enabled. DS records for both Cloudflare’s keys and my own local keys are in the parent zone, and yet it seems like Cloudflare refuses to serve the DNSKEYs I have added manually:

$ dig ds +short
9994 8 2 2C6D83F1233B5050D49850F2F93D7D7D88398EF1A08EC552BE4DBF3E 948A8E1A
2371 13 2 D55AADADFEB6B169ED92151C509FE4CC958CB50040BE5919419FC976 7059F018

$ dig dnskey +short
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==

I expect to see FOUR DNSKEY records in the second dig request.

Why would you add DNSKEY records for the domain on the name server that’s returning results for the said domain? Maybe I’m just misunderstanding the setup.

Correct me if I’m wrong, but DNSKEY records are supposed to live in the zone they sign records for, right? So it is the right place for DNSKEY records.

My motivation is perhaps a bit unusual: I need to prove ownership of this domain using DNSKEYs I have stored locally to sign a challenge. For this particular purpose, I do not want Cloudflare to sign the challenge with the “shared” DNSKEY’s they use for multiple customers.

You’re probably right, and that makes sense. You may have to open a ticket to see if there’s a way to set this up, though I’m just not seeing the use case. Why are they forcing you to prove ownership with DNSKEYs? It seems orgs are always looking for a new, difficult hoop for people to jump through.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.