How to use Cloudflare on domain with DNSSEC enabled?

We have a domain registered at Metaregistrar that currently is using their own nameservers but also already has a secDNS Key added to it.

What would be the proper way to add this domain to Cloudflare?

Leaving the key will probably result in DNSSEC signing errors; We could edit remove the existing key and add the one Cloudflare gives us, but would this also have some kind of propagation period (TTL)?

Basically looking for the best way with zero downtime, while, if possible, leaving DNSSEC enabled the entire time.

I’d suggest multiple DS records at the registrar, but I wouldn’t bet a ton of money on it working…though I think it should work. I’d play it safe and disable DNSSEC a couple of days before the change.


So I gave it a try, and that does indeed work :slight_smile:

Also read online another answer on StackOverflow where someone referred to the same RFC document as you which indeed confirms that you can have multiple keys and not all of them have to be valid.

After having added a 2nd key and changing the nameservers the transition happened seamlessly and I can just remove the old (unused) key now.


Thanks for confirming. That will come in handy for others making similar changes.

1 Like

Be careful in doing this. If only one of the DS records uses a SHA-1 digest I think this will not work, as validating resolvers will ignore the SHA-1 completely. So tread carefully.


If a DS record with SHA-1 was used somewhere along the chain, wouldn’t DNSSEC just not have worked to begin with?

After adding my DS key and doing the NS change to Cloudflare, I will end up removing the old DS key.
If the above is correct, DNSSEC should still start working after that, correct?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.