Registrar cannot register DNSKEY


I registered my domain ( a couple of days ago and set everything in motion to activate DNSSEC. I don’t have the possibility to add DS or DNSKEY records myself but my registrar, who is really helpful btw, let me know they could not configure the DNSKEY. They ran into an error (see screenshot below).

Any idea what’s going wrong ?
AFAIK they’re selecting the correct properties…


Hi Pieter,

Thanks for your message, and welcome to deSEC! :slight_smile: Sorry for the late response.

The error message says “wrong key tag”. The key tag is redundant information (it can be computed from the other key fields), and it is normally not used when entering a DNSKEY. (It is mainly used in DS records.)

The key tag for your key is 6630, so please tell your provider to try this value. (This is also the value that should appear in the first field of your DS records in our web interface, so take a look there to verify.)

The 257 value actually belongs into the “flags” field, and KSK means the same as 257.

You can see all these details using dig:

$ dig +multi DNSKEY | grep -A4 "ANSWER SECTION"
;; ANSWER SECTION:		3600 IN	DNSKEY 257 3 13 (
				) ; KSK; alg = ECDSAP256SHA256 ; key id = 6630

Clearly, this is another case of DNSSEC web interfaces causing confusion, and standing in the way to DNSSEC adoption. I hope that I could clear it up!

Stay secure,

1 Like

Hi Peter,

No worries, it’s not that important. :slight_smile:

I’ve forwarded the solution to the DNS Provider so it will soon be resolved I guess.
Thanks for explaining this to me.