DNSSEC activation in CloudFlare DNS


I have activated DNSSEC for my domain name,

I use the cloudflare dns to manage my domain names, at my registar I cannot put DS fields but my registar tells me that the installation should be done at your place.

When I try to put the DS field through CLoudFlare, it doesn’t work.

Can you clarify for me?

DNSSEC is a hierarchical trust system. You enable DNSSEC is two steps. The first is to start signing your zone, which you do on the Cloudflare dashboard. The second step is to put the DS records Cloudflare give you into the parent zone. This second step can only be done by your registrar.

Who is your registrar? Can you share the zone?

1 Like


Thank you for your reply,

I got the answer to my request, in fact my LWS registar blocks my DNSSEC request because they only offer DNSSEC for customers who take vps from them ^^,

I would like to point out that I have a dedicated server at online,

I will change registar as soon as possible, I am thinking of returning my domain names to CloudFlare directly or to online I don’t really know yet

Your Registrar cannot block your request to add DS records, or only allow certain classes of customer to use DNSSEC, or impose other restrictions on your use of DNSSEC. Their registrar agreement with ICANNN states that:

Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC.

I am pretty sure that they cannot charge for that service, but I don’t have the reference to hand.


Can you name and share your registrar?

1 Like

It is however the case, here is the screenshoot, sorry it is in French:

Here is the registar : https://www.lws.fr/

ICANN rules regarding DNSSEC won’t necessarily apply to ccTLDs and if AFNIC does not require its registrars to offer DNSSEC they won’t be contractually obliged to offer it.

You could file a complaint with AFNIC and clarify with them if the registrar would actually be obliged to do so. If they are not you can only either not use DNSSEC or transfer the domain to a registrar which actually supports it.

The registrar agreement does not seem to address this in particular so it most likely will be up to the registrar.

As mentioned, you either keep it disabled or transfer to a registrar who supports it.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.