Do you know if this is expected, eg. because it only applies to when using the OVH DNS servers?
Also incidentally, I just wanted to report that when setting up the DS records, OVH asks for:
Key tag
Flag (257 for desec)
Algorithm (13 for desec)
Base64 public key
As this is none of the options mentioned in desec’s documentation I was a bit scared of getting one wrong; but it does seem to be working fine now, except for the OVH scary-red warning. Maybe it’d be worth mentioning in the docs that some providers may ask for a mixture of the various provided numbers?
Anyway, huge thanks to all the people who make deSEC work, for now it’s been an awesome experience migrating my DNSes to here!
It may depend on the registry. In my experience some registries, such as .de for example, seem to want the key instead of the hash. This does not seem to be dependent on the registrar as I have seen this with multiple registrars. The whois data for the domain even shows the key, not the hash in these cases.
That said, registrars like OVH, 1blu and probably many others could look up the DNSKEY themselves or use the CDNSKEY/CDS records or even automate the process completely (-> RFC 9615)