How to Setup DNSSEC for my New Custom Domain?


I registered with deSEC and setup my records via the API, however Verisign’s DNSSEC analyzer tells me that DS records are missing and hence DNSSEC cannot be verified.

What do I need to do in order to be able to use DNSSEC?


Hi Nils,

Thanks for your question! To configure DNSSEC for your domain, you need to provision your public DNSSEC keys with the provider where you registered your domain. Steps:

  1. Retrieve your public DNSSEC keys from our API, by making a GET request to your domain’s endpoint. The API response will contain a “keys” field with DNSKEY and DS entries.
  2. Get in touch with your domain provider and send them your key information. Most providers will be satisfied with the DS entries, but some require DNSKEY.
  3. Finally, use the DNSSEC analyzer to verify that everything is in order.

If you created your domain together with your account, your keys are also displayed on the confirmation page after sign-up. In case you missed that, you can always look them up using the API.

Stay secure,


If our registrar doesn’t support CSK keys, how can i achieve it ? ( He also asks for private key ???)

Here are the options I have :
dnssec1 dnssec2 dnssec3

Hi NewRedsquare,

The “key type” value for CSK keys is identical to KSK keys, so just select KSK, corresponding to the value 257. (The label in the menu is incomplete and should read “KSK/CSK”.) The private key is certainly not required (and our API does not expose it).

If these steps don’t lead to success, please contact your registrar, provide them with the DS and DNSKEY values. They should be able to set things up manually.

Stay secure,

The registrar didn’t answered yet. I tried to add myself the keys. I could only successfully add the DNSKEY. It doesn’t work for DS. But i used to check the DNSSEC status of my domain and it seemed to work… can it really work without adding DS keys ?

Hi NewRedsquare,

The registrar can compute DS records from DNSKEY, so that’s generally ok. If you tell us your domain name, we can take a look whether everything is configured correctly.

Stay secure,

1 Like


I also have a problem setting up my domain which I registered two days ago via thewebsite . I sent the given information zo my provider . I can’t see the DS-records, but it seems to me that 1blu has added the keys, at least I’m not able to manage the domain via 1blu custom control any more. And I see, that the NS records and are set.
But still there is no DNSSEC for my domain, and the DNSSEC analyzer gives an error: “No DS records found for in the net zone” .
So what can I do to use DNSSEC?

Thanks in advance

Hi Matthias,

Thanks for your message! Yes, it looks like the NS records are set correctly for, and the DS records are missing.

Unfortunately, there’s nothing we can do to help you with that. Only your domain registrar (= provider where you registered the domain) is able to add the records (and is obliged to do so by your request).

Good luck,

Hi Peter,

now the records are set, and all answers of DNSSEC Analyzer are “green”.

But now, there is another problem…
When I try to connect to my domain then I get the answer:

Unable to determine IP address from hostname
The DNS server returned:
Name Error: The domain name does not exist.

Can you please tell me, what I made wrong?


I queried your domain name via the DNS, and it looks like you have not created any DNS record sets.

Stay secure,

1 Like

Okay, thank you very much. Seems I have to learn a lot… :innocent:

Excuse for butting in :slight_smile:
I just joined with the aim of enabling DNSSEC for a .de domain I own.

Currently I’m using Cloudflare as DNS, and my registrar is
I once tried to enable DNSSEC via Cloudflare, and then asked Contabo to add the DS record, who told me that they do not support DNSSEC.

(original version: “Nach Rücksprache mit unserer technischen Abteilung, müssen wir Ihnen leider mitteilen, dass wir DNSSEC nicht anbieten. Wir können Ihnen hierbei leider nicht behilflich sein.”)

I read about deSEC recently and decided to give it another go, but of course I still need cooperation from the Registrar. That’s where I read your “and is obliged to do so by your request” (my emphasis).

Could you point me to that information?, maybe I could then ask again at my Registrar to add the DS record (and as a bonus I would move the domain from Cloudflare to deSEC :slight_smile:

Thanks in advance, and excuse me for “hijacking” this thread, but at least the topic/issue is the same.

Hi reinob,

Thanks for hijacking this thread :wink: Welcome to deSEC.

We were in touch with DENIC about this precise question in October 2020, and they told me:

DENIC kann DNSSEC lediglich anbieten, eine Pflicht zur Unterstützung von Providerseite gibt es dafür allerdings nicht.

Thus, the sentence in my previous post was incorrect, for which I’d like to apologize. (That is not to say that no top-level domain (TLD) registries prescribe DNSSEC support for their registrars; I can imagine that to be the case especially for some of the “new” TLDs from 2013 on. I believe I read something along those lines, which probably lead me to the wrong statement.)

I’m afraid you will have to change your registrar then, or be unable to use DNSSEC (which does not exactly speak in your registrar’s favor). If you need suggestions for a registrar and how to do a smooth transition, please shoot us an email at

Stay secure,

1 Like