Setting up DNSSEC

Hi there.
I have set-up 2 days ago my cloudflare account on my website (registar is not Cloudflare).
Everything is fine except DNSSEC. When I try to set it up the DS with the DNSSEC information from the DNSSEC section, I get the following error message : “ DNS validation error (code 1004): DS record must not appear at a zone APEX”. What does it mean ? How can I fix it ?
Thank your for your help.

PS : I cannot set it up from my original registar since the DNS parameters are now handled by cloudflare

The DS record must be set up at your registrar’s not on Cloudflare’s side.

1 Like

As you edited your original question

That is correct for anything that is under your nameservers’ control, but the DS record is not. As mentioned before, you have to configure this at your registrar’s. Contact them for details if it is not clear how to do that.

So I reached them out.
Their answer (LWS) is that I cannot modify DNS parameters with them since Cloudflare is handling my DNS server parameters. They also said I would need to move to a VPS offer (more expensive) to be able to change the DS record. That is unfortunate because they advertise Cloudflare without mentioning this limitation.

Cloudflare is managing your domains DNS, but certain records need to be in the parent zone. The most obvious is the NS records for your domain. When you joined Cloudflare you had your registrar add the correct NS values so that you could use Cloudflare. The DS records are exactly the same. Your registrar needs to add them, and in most cases nobody else can do this.

There are very limited circumstances where your registry (the people who actually run the TLD) will take the DS records from you directly. And in even fewer cases the registry will do this automatically using the CDNSKEY/CDS protocol (.ch and .cz being the only two that I recall).

This is just an up-sell. It’s like your mechanic saying you need to buy a new car from then to get an oil change. The solution is the same, get a new mechanic and/or registrar.

That is what I addressed already. We are not talking about your DNS records here but about the DS record. Cloudflare only provides the value here which you need to set up at your registrar.

That is a completely unrelated topic I am afraid. A VPS has nothing to do with your DNS setup.

That’s not a limitation. DS records are set up with your registry. If your registrar does not know this I’d recommend to switch registrar, as that’s their core business.

What’s your domain?

My domain is

The “limitation” is on their side ( of course.

Yes, there currently is no DS record at the registry.

$ dig DS

;		IN	DS

fr.			5400	IN	SOA 2227159762 3600 1800 3600000 5400

All right. I am not familiar with the requirements AFNIC has but if they do not mandate DNSSEC your registrar might not be required to set that up. In that case it might be best to transfer the domain to a registrar where you can actually configure that without issues.

Actually they advertise DNSSEC on their website and there’s a DNSSEC button on their dashboard but they deactivated it since I don’t use their DNS anymore. It is not very honest from them.

In that case you probably really can only change registrar. Maybe contact them once more to clarify that, but if a registrar tells you you need to set up the DS record on your authoritative nameserver, I’d honestly question their competence. Changing registrar might really be the best course.


I agree. I tried a last time. Thank you for your explanations.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.