Thanks for your question! To configure DNSSEC for your domain, you need to provision your public DNSSEC key information with the provider where you registered your domain. Steps:
Retrieve your DS and DNSKEY values
from our web interface (click the 🛈 icon next to your domain);
Get in touch with your domain provider and send them your key information. Most providers will be satisfied with DS information, but some require DNSKEY.
Finally, use DNSSEC Analyzer to verify that everything is in order.
If you created your domain together with your account, your keys are also displayed on the confirmation page after sign-up. In case you missed that, you can always look them up using the API.
The “key type” value for CSK keys is identical to KSK keys, so just select KSK, corresponding to the value 257. (The label in the menu is incomplete and should read “KSK/CSK”.) The private key is certainly not required (and we do not expose it).
If these steps don’t lead to success, please contact your registrar, provide them with the DS and DNSKEY values. They should be able to set things up manually.
The registrar didn’t answered yet. I tried to add myself the keys. I could only successfully add the DNSKEY. It doesn’t work for DS. But i used https://dnsviz.net to check the DNSSEC status of my domain and it seemed to work… can it really work without adding DS keys ?
The registrar can compute DS records from DNSKEY, so that’s generally ok. If you tell us your domain name, we can take a look whether everything is configured correctly.
I also have a problem setting up my domain beilmann.net which I registered two days ago via thewebsite desec.io . I sent the given information zo my provider 1blu.de . I can’t see the DS-records, but it seems to me that 1blu has added the keys, at least I’m not able to manage the domain via 1blu custom control any more. And I see, that the NS records ns1.desec.io and ns2.desec.org are set.
But still there is no DNSSEC for my domain, and the DNSSEC analyzer gives an error: “No DS records found for beilmann.net in the net zone” .
So what can I do to use DNSSEC?
Thanks for your message! Yes, it looks like the NS records are set correctly for beilmann.net, and the DS records are missing.
Unfortunately, there’s nothing we can do to help you with that. Only your domain registrar (= provider where you registered the domain) is able to add the records (and is obliged to do so by your request).
Excuse for butting in
I just joined desec.io with the aim of enabling DNSSEC for a .de domain I own.
Currently I’m using Cloudflare as DNS, and my registrar is contabo.de.
I once tried to enable DNSSEC via Cloudflare, and then asked Contabo to add the DS record, who told me that they do not support DNSSEC.
(original version: “Nach Rücksprache mit unserer technischen Abteilung, müssen wir Ihnen leider mitteilen, dass wir DNSSEC nicht anbieten. Wir können Ihnen hierbei leider nicht behilflich sein.”)
I read about deSEC recently and decided to give it another go, but of course I still need cooperation from the Registrar. That’s where I read your “and is obliged to do so by your request” (my emphasis).
Could you point me to that information?, maybe I could then ask again at my Registrar to add the DS record (and as a bonus I would move the domain from Cloudflare to deSEC
Thanks in advance, and excuse me for “hijacking” this thread, but at least the topic/issue is the same.
Thanks for hijacking this thread Welcome to deSEC.
We were in touch with DENIC about this precise question in October 2020, and they told me:
DENIC kann DNSSEC lediglich anbieten, eine Pflicht zur Unterstützung von Providerseite gibt es dafür allerdings nicht.
Thus, the sentence in my previous post was incorrect, for which I’d like to apologize. (That is not to say that no top-level domain (TLD) registries prescribe DNSSEC support for their registrars; I can imagine that to be the case especially for some of the “new” TLDs from 2013 on. I believe I read something along those lines, which probably lead me to the wrong statement.)
I’m afraid you will have to change your registrar then, or be unable to use DNSSEC (which does not exactly speak in your registrar’s favor). If you need suggestions for a registrar and how to do a smooth transition, please shoot us an email at support@desec.io.