Trying to Set Up DNSSEC WITH 1&1 (IONOS)

I contacted my website’s host (1&1 aka IONOS) with the hope that I could implement clouflare.com’s DNSSEC protection for my website. While they claim that they provide DNSSEC (for a yearly fee, of course) - however, cloudflare.com offers this service via proxy at no charge.

Here is the “live chat” conversation I had with the 1&1 representative earlier today:

1&1
*Hi, thank you for contacting 1&1 IONOS, how can I help you *

Customer
I would like to add a ds record to my account, in order to enable DSNSEC through cloudflare. I do not see an option to submit a ds record in the DNS section of my account.

1&1
We understand that you would like to add that record however 1&1 IONOS does not have that function as we are not using Cpanel or Plesk interface.

Customer
Is there any way for me to use DNSSEC through cloudflare?

1&1
1&1 IONOS does not have that feature. If you would like to activate DNSSEC on your domain, we do have that as an additional feature which is called Domain Guard.

Customer
What is the name of the web server panel that you use?

1&1
We do have our own interface, we do not use cPanel or Plesk in shared hosting .

Customer
Is there currently a ds file associated with my webspace?

1&1
I cannot see any ds file on your webspace.

Customer
Does that mean you do not have access but it is possible that I do have a ds file? Or were you able to look and see that I do not have one in the place that it should be? Does that mean you do not have access but it is possible that I do have a ds file? Or were you able to look and see that I do not have one in the place that it should be?

1&1
You may check on your webspace, just go to hosting & and choose WebSpace and click “Use Webspace” If you want to activate DNSSEC for your domain, you need to have the Domain Guard as we do not support ds records as well Yes its possible with other provider as they support ds records as well. We do not use cPanel or Plesk we have our own interface.

After reading some articles here on Cloudflare, I found ICANN’s Registrar Accreditation Agreement located here: https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

Upon doing a keyword search for “DNSSEC”, I found near the bottom of the document it says:

  • ADDITIONAL REGISTRAR OPERATION SPECIFICATION

This Specification may be modified by ICANN from time to time after consultation with the Registrar Stakeholder Group (or its successor), provided that such updates are commercially practical with respect to the registrar industry, taken as a whole.

  1. DNSSEC Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC. Such requests shall be accepted and processed in a secure manner and according to industry best practices. Registrars shall accept any public key algorithm and digest type that is supported by the TLD of interest and appears in the registries posted at: http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml and http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xml. All such requests shall be transmitted to registries using the EPP extensions specified in RFC 5910 or its successors.*

Can I interpret this to mean ICANN doesn’t want any registrars to withhold the use of DNSSEC by those who do not want to pay for it? If so, 1&1 is obligated to (at the very least) allow me to submit the appropriate information so I can utilize cloudflare’s DNSSEC option.

I reported 1&1 to ICANN using their form.

What do you all think?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

I already found that thread from @djnate, but it was closed due to 30 days inactivity.

I also wanted to setup DNSSEC on my .de Domain which is a supported DNSSEC tld.
But after contacting IONOS they also told me its just available (at IONOS) if you book a additionally “Domain Guard” Service which is more expensive then the domain itself.

As I can understand they demand mone for a service which would be implemented with one click I can not understand that they do not even offer the option to manually add DS-Entries to the Zone, which is required to setup DNSSEC.

After more then 12 years I have been a very statisfied 1und1 (now IONOS) customer. But with the time things changed.

  1. (2015) Registered at Cloudflare
  2. (2016) I pointed all NameServer (beside from one Domain) to the ones from CloudFlare
  3. (2017) registered a Partner Account (not useable anymore ?)
  4. (2017) set up own RailGun Server, well at least tested it…
  5. (2020) want to implement DNSSEC and every service provider is very motivated to allow this, but not IONOS

What I had at IONOS:

  1. Domains (moved soon)
  2. ̶̶D̶̶̶̶̶N̶̶̶̶̶S̶̶̶
  3. Server

Soon I will move ALL Domains to another Domain Hoster which is:

  1. cheaper
  2. allows custom NS
  3. allows DNSSEC entries

For me this is very disappointing as I like the Servers there but seems like its time to outsource everything else - for me this is ok as my whole Domain Setup is set up to be independend.

Mail-Server is seperate ✓
Web-Server is seperate ✓
Servers are seperate ✓
Backups are seperate ✓

Does anyone of you guys know any good Domainhoster for .de Domains? Or is Cloudflare anytime soon be able to host .de domains as promissed years ago?

I personally thought about do.de as they state at the bottom of THIS page:

Which translated means:

That sounds that I at least will be able to use DNSSEC with them when I use a external DNS Service like CloudFlare.
I will contact their customer Service and verify if its possible.

Did you guys wanted to set up DNSSEC in particular at .de Domains and what are your experiences about this?

I at least will keep this post up to date.

@M4rt1n - I have merged yours with the original post and given it 14 days after last reply before closing.

@M4rt1n, I stuck to my quest to force IONOS to change my DS info/records in order to use Cloudflare’s services.

I looked up the ICANN (governing body of all domains, located in California) information regarding the contractual obligations that EVERY registrar MUST comply with, in order to sell and serve domains. Within the legal documents at ICANN - there is a stipulation that ALL domain/registrar, sellers/providers MUST allow end users to have access to DNSSEC if they wish to use it. It does not specify if they are allowed to charge for access to these options. However, after I filed a direct complaint against IONOS with ICANN, magically, all of a sudden I got through to the appropriate people at IONOS.

The people you reach if you call or do a live chat with someone - are all just “tele-marketers”/sales people who work from a pre-written script and cannot answer questions which are not covered on their script. That is why you were told that you HAVE to buy the stupid Domainguard service.

After filing the complaint with ICANN (technically the report ended up being handled by another party called Global Support on behalf of ICANN), I ended up getting emails from a Domain Administrator at IONOS - Ed Leo. IONOS Domain Administration’s phone number is 484-254-5555. They did go in and change my DS records after I sent them the data they needed to do so.

I gave a very detailed and unfavorable review of their customer support and ended up with a credit towards my next domain/basic service contract in the amount of $50.

If you need any help or get stumped at any point in your process (that is - if you want to go through those steps), I would be happy to help you personally.

Thank you for your Post!
Where exactly can I fill these complains exactly?

Would like to do so aswell as I’m pretty annoyed that they do not offer this by default.
But on long term this is just needed for the .de Domains as I will transfer all others to CloudFlare anyway.

Hi All,

With the likes of IONOS, GoDaddy and similar - they will rip you off. I was in the same boat and was paying additional fees for things that are free.

I’m not paid to do any promotions, but after transferring my domains to Gandi.net registrar (they are based in France) all my issues with domain management became things of the past. They support all features out of the box. (i.e. GoDaddy charge £15 p.a. for domain privacy). Just look it up.

Gandi also say - No Bullshit since 1999 :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.