How to configure DS records at Netcup

Hi everyone, I need your help again, as I wasn’t able to complete DNSSEC.

As advised in this forum, I send my public DNSKEY and DSKEY to Netcup and asked them, to set those values for the affected domain. They refered to their backend, where users can set those values up themselves.

However, I’m not sure what parameters to select. Do you have any ideas? Thanks!


Yeah, this is needlessly complicated. We should improve our instructions. The problem is that the registrar-side interfaces vary wildly.

If you look at your DNSKEY record, it is something like

257 3 13 <long-string>

The first number is the flags value, the second is irrelevant (it is always 3 and usually registrars don’t ask for it), and the third nmber is the algorithm value. The rest of the record is the public key, for which your interface has a separate field at the top.

Hope that helps!

Stay secure,

I understood it now the following way:

… as the public key public? normally no need to obfuscate it, right? @peter :face_in_clouds:

Hi bsz,

Thanks for your message, and welcome to deSEC! :slight_smile:

I’m not sure what your question is, but yes, the public key is public, so you don’t need to obfuscate it.

Stay secure,

thanks for the warm welcome :wink:
… just because I answered @neoda 's questions with concrete details.

I can also confirm that my posted settings are now working correctly for netcup.

I’m now curious, if these information are changing rarely, but are handled differently by registrar, if it make sense to gather these default configuration per dns registrar a thread or table?

Aha, great! Now I understand; I thought you had a question yourself.

That would make a lot of sense! I’m wondering what the best format would be; a forum thread would likely become very long if it included screenshots. Any suggestions?

Stay secure,

Hi all,
thank you very much for helping me out! With @peter 's hints I was able to finish the configuration and DNSSEC Analyzer looks satisfied. He only complains about the DS record. Is that something I can ignore?

Hi neoda,

Missing DS records are actually the problem :slight_smile: The steps discussed above should actually cause your domain to have DS records.

However, looking at DNSSEC Analyzer -, I cannot confirm what you are seeing – the DS for your domain is there.

.de needs a bit of time (an hour or so?) to update your domain’s configuration when you make a DNSSEC change. My guess is that you were just looking “too quickly”, before the change was in effect. It’s OK now.

Stay secure,

Hi Peter,

yes, I was too fast! Now, all checks are green! Thanks again for your assistence!

Best regards,