OVH DNSSEC setup

Hello,

My registrar is OVH, I have migrated my DNS to deSEC, and I’m now trying to setup DNSSEC properly.

When I open the provided DNSSEC Analyzer link, all the checks return a green checkmark. But on the OVH web UI, I get the following scary-red display.

Do you know if this is expected, eg. because it only applies to when using the OVH DNS servers?

Also incidentally, I just wanted to report that when setting up the DS records, OVH asks for:

  • Key tag
  • Flag (257 for desec)
  • Algorithm (13 for desec)
  • Base64 public key

As this is none of the options mentioned in desec’s documentation I was a bit scared of getting one wrong; but it does seem to be working fine now, except for the OVH scary-red warning. Maybe it’d be worth mentioning in the docs that some providers may ask for a mixture of the various provided numbers?

Anyway, huge thanks to all the people who make deSEC work, for now it’s been an awesome experience migrating my DNSes to here! :tada:

1 Like

Hi Ekleog,

No idea – you’ll have to ask OVH about what their user interface displays. (Have you checked the (?) button?)

Indeed, asking for key tag and public key is not reasonable (because key tag is computed from public key). Anyway, if that’s what they do …

Then you’re good!

Stay secure,
Peter

1 Like

It may depend on the registry. In my experience some registries, such as .de for example, seem to want the key instead of the hash. This does not seem to be dependent on the registrar as I have seen this with multiple registrars. The whois data for the domain even shows the key, not the hash in these cases.

That said, registrars like OVH, 1blu and probably many others could look up the DNSKEY themselves or use the CDNSKEY/CDS records or even automate the process completely (-> RFC 9615) :wink:

1 Like

Yes, but then they don’t need to ask for the key tag.

Stay secure,
Peter

1 Like

Thank you for your replies! And happy to hear that DNSSEC analyzer is a good authoritative answer :slight_smile:

1 Like

True. I missed the emphasis on the tag and indeed I have never needed to provide it.

fiwswe

1 Like