How to enable DNSSEC, esp. how to set DS records, if deSEC is only the DNS hoster, but the DNS registrar is a 3rd party (e.g. Strato)?

At the moment my domain (e.g. is registered via and hosted by a 3rd party (e.g. Strato in my case). My current registrar and hoster only supports very limited options to configure the DNS records for my domain, but first and foremost it neither support DNSSEC nor DANE. Hence, I am considering to use deSEC as my DNS hoster.

According to my understanding of DNSSEC, it is not sufficient to change the NS records for to point to the name servers at deSEC, but there must also be DS records for the public key which verifies the resource records of the zone and those DS records must be part of the parent zone (e.g. de in my case). Hence, ultimately those DS records must be part of the de zone (which is managed by DENIC in my case) and I have to go through my DNS registrar (e.g. Strato) to have them set for me. Am I right?

However, it appears to me that Strato only provides a form to change the NS records, but not the DS records. This means I am lost here, right? I can transfer the DNS hosting to deSEC (by changing the authoritative NS server), but I cannot get DNSSEC to work, right?

Did I misunderstand something here? Are there other options I am unaware of? Maybe there is some (miraculous) way how deSec takes care of the proper DS records which I have missed.

You probably need to contact Strato support.

I have no personal experience with Strato, so I don’t know whether they can help you, or how persistent you need to be to get competent help.

deSEC e.V. does not have any magical way to update the parent zone of your domain. (If they did, that would allow anyone to do so, which would be a very bad security issue!)

Good luck!
And please let us know wether Strato support was able to help.


1 Like

Thanks for the response. So it is indeed as I assumed and I my understanding on how DNSSEC works is correct.

All my past experience tell me that the Strato support is nearly to non-existent and/or extremely incompetent. On top, they have an paid extra-service (called “Domain Guard”) which allows to use DNSSEC but also includes a lot of other snake oil stuff. Actually, DNSSEC is the only reasonable benefit of “Domain Guard”, but at the same time “Domain Guard” is the only way how one can obtain DNSSEC from Strato. I have already got in touch with Strato and they tried to talk me into that.

Guess it is time to look out for a new DNS registrar.

Hi! I’m using Febas ( as DNS registrar (I’m not affiliated with them), their support seems to be competent and knows what to do when I send them my DNSSEC records :slight_smile: They are usually added within a couple of hours.

Netcup ( is another option, there you can manage the external DNS servers including DNSSEC records on the web ui.

Hi nagmat84,

Thanks for your message, and welcome to deSEC! :slight_smile:

All your observations are correct.

If you are willing to move to another domain provider, we think that would be a sweet step to support our mission, which is to improve Internet security, both technical and via market mechanisms.

As a tax-exempt non-profit, we avoid public statements that could be construed as advertisement (because that would threaten our tax-exempt status). I’m happy to recommend something via email, though – feel free to get in touch.

Stay secure,