How to enable DNSSEC


I am facing some issue regarding DNS setup. I have already pressed the option in cloudflare dashboard to enable DNSSEC and sent the DS record to the domain registrar. It seems like registrar added the record to the root domain, but for some reason the keys do not match:

We have already tried to disable/enable this configuration on both sides with intervals like 24h or more, but it didn’t help. Right now registrar suggests, that I should add A record, but I do not host a page and do not plan to do so, also it should work without A/AAAA records AFAIK.

The DS record that is suggested by cloudflare is with id 2371, but .me is looking for 41783.

Thank you in advance!

You need to make sure the DNSSEC settings on your registrar’s side match exactly what Cloudflare provided on the DNS screen.

In your particular case you seem to have entered the wrong key tag.

Hmm, so you mean, that the key shown by .me should be 2371? I have copy-pasted 1:1 what cloudflare showed me, it may be an issue on registrar side then?

If you have copy-pasted it your registrar might have changed something and you’d need to clarify that with them.

Right now DNSSEC is not working because what your registrar returns does not match the configuration on Cloudflare.

Cool, I have enabled ticket few days ago, I try to clarify then it with them. Could you also confirm/negate the hypothesis they proposed, so I need a A/AAAA record to setup DNSSEC? It seems weird for me

There should not be any such record necessary. You need the DS record with the information provided by Cloudflare. That needs to be set up by your registrar and that should be it.

Currently you have this

$ dig +short DS
41783 13 2 15846ADD819D09D530D4F05D28A2E910EBF28262F40433ACA44ACC4D 64AA2371

And that would not seem to be what Cloudflare provided.

Cool! Thank you for help :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.