DNSSEC won't activate

Hello,
Cloudflare asks me to use protocol 2 (SHA-256) to enable dnssec, but my domain name (leoseguin.fr) only supports protocol 3 (GOST R 34.11-94), according to Hostinger.
TY

Hello!

If Hostinger doesn’t allow you to select Digest Type 2, there might be a setting they can change for you to enable it. Have you asked their Support team about this at all?

I found this YouTube video from 9 months ago showing the fields, perhaps it can help.

yes I contacted Hostinger (several times) and they told me that protocol 2 was not available for my domain. Note that now there is no select box for the protocol but a default value that I cannot change…

I do find it curious that they specifically note that it’s not available for your domain. They didn’t say it’s generally not available. There might be a specific limitation on the TLD (.fr) that they have to respect.

Doing a quick whois on your domain name shows that it’s registered through AFNIC, perhaps it’s worth an email to them to see if it’s them or Hostinger enforcing this.

Just out of curiosity, have you attempted to set it with whatever the default is? Does it work?

1 Like

yes I tried with the default parameters and it does not find the dns records. Before I contacted Hostinger, there was a selectbox with protocol 2 and 3. However, each time I chose 2, it gave me 3. And now that I contacted them, I no longer have a choice. I will try to contact AFNIC, but I bought the domain on Hostinger…

well after having contacted AFNIC, it seems that there is nothing they can do about it and that’s the way it is… so no DNSSEC

AFNIC : First of all, note that Afnic as a registry does not directly manage domain names, nor the configuration of name servers: it is the role of the registrars who manage the domain name. on behalf of the account holder (his client). Note that DNSSEC is available from all accredited registrars.

HOSTINGER : As we explained to you the domain provider does not support protocol 2 there is nothing you can do to change this, AFNIC provides the domains to the registrar and each registrar has its own rules so we who buy the domains from these providers we must follow these rules and even if you contact anyone these rules cannot change unless the registrar himself decides to change it.

Nice…

This is unfortunate. AFNIC is the entity that owns the .fr domains and while they may not directly register domains, they are allowed to dictate how their domain TLDs get used.

At this time I’m checking with my teams to see what can be done.

3 Likes

Cloudflare conforms to the RFC standards when it comes to how DNSSEC is implemented.

Per RFC 8624 Section 3.3;

GOST R 34.11-94 has been superseded by GOST R 34.11-2012 in [RFC6986]. GOST R 34.11-2012 has not been standardized for use in DNSSEC.

Additionally, the Recommendation section for what to use explicitly lists Type 3 as “MUST NOT” for Delegation/Generation;

   +--------+-----------------+-------------------+-------------------+
   | Number | Mnemonics       | DNSSEC Delegation | DNSSEC Validation |
   +--------+-----------------+-------------------+-------------------+
   | 0      | NULL (CDS only) | MUST NOT [*]      | MUST NOT [*]      |
   | 1      | SHA-1           | MUST NOT          | MUST              |
   | 2      | SHA-256         | MUST              | MUST              |
   | 3      | GOST R 34.11-94 | MUST NOT          | MAY               |
   | 4      | SHA-384         | MAY               | RECOMMENDED       |
   +--------+-----------------+-------------------+-------------------+

This means Cloudflare is recommended that we MUST NOT generate this key.

TL;DR: Type 3 is outdated/superseded and either Afnic or Hostinger haven’t updated their rules to allow the newer types to be used.

2 Likes

ok thanks for your help, i will try another registrar (maybe OVH)

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.