DNSSEC activation in CloudFlare DNS

mikka66 · January 24, 2021, 12:35pm

Hello,

I have activated DNSSEC for my domain name,

I use the cloudflare dns to manage my domain names, at my registar I cannot put DS fields but my registar tells me that the installation should be done at your place.

When I try to put the DS field through CLoudFlare, it doesn’t work.

Can you clarify for me?

michael · January 24, 2021, 1:07pm

DNSSEC is a hierarchical trust system. You enable DNSSEC is two steps. The first is to start signing your zone, which you do on the Cloudflare dashboard. The second step is to put the DS records Cloudflare give you into the parent zone. This second step can only be done by your registrar.

Who is your registrar? Can you share the zone?

mikka66 · January 25, 2021, 2:39pm

Hello,

Thank you for your reply,

I got the answer to my request, in fact my LWS registar blocks my DNSSEC request because they only offer DNSSEC for customers who take vps from them ^^,

I would like to point out that I have a dedicated server at online,

I will change registar as soon as possible, I am thinking of returning my domain names to CloudFlare directly or to online I don’t really know yet

michael · January 25, 2021, 2:49pm

Your Registrar cannot block your request to add DS records, or only allow certain classes of customer to use DNSSEC, or impose other restrictions on your use of DNSSEC. Their registrar agreement with ICANNN states that:

Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC.

I am pretty sure that they cannot charge for that service, but I don’t have the reference to hand.

https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

Can you name and share your registrar?

mikka66 · January 25, 2021, 3:37pm

It is however the case, here is the screenshoot, sorry it is in French:

Here is the registar : https://www.lws.fr/

sandro · January 25, 2021, 5:05pm

ICANN rules regarding DNSSEC won’t necessarily apply to ccTLDs and if AFNIC does not require its registrars to offer DNSSEC they won’t be contractually obliged to offer it.

You could file a complaint with AFNIC and clarify with them if the registrar would actually be obliged to do so. If they are not you can only either not use DNSSEC or transfer the domain to a registrar which actually supports it.

sandro · January 25, 2021, 5:25pm

The registrar agreement does not seem to address this in particular so it most likely will be up to the registrar.

As mentioned, you either keep it disabled or transfer to a registrar who supports it.

system · January 30, 2021, 5:25pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.