Skip to main content
Help Center
The GoDaddy Community will undergo maintenance starting on Wednesday, July 28th at 3pm PST / 6pm EST. Learn more
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
J15t98J
Getting Started

GoDaddy rejects DNSSEC changes on creating DS record

I'm trying to self-manage DNSSEC for my domain, which is registered with GoDaddy and whose DNS zone file is with Cloudflare. Cloudflare has provided all the required fields to submit the DS record on GoDaddy, but every time I submit it I get an email from GoDaddy a few minutes later saying that my changes were unsuccessful, followed only by "please contact support."

 

I've spoken to two different members of staff on the phone and neither seemed to even know what DNSSEC is, let alone how one sets it up. I've also been told several times that I need to have my zone file with GoDaddy in order to use DNSSEC, or else require the Premium DNS service, but the relevant GoDaddy support article suggests that the Premium DNS is optional, and states:

Spoiler

You can activate DNSSEC security information for your domain name under the following conditions:

  • The domain name is registered through us.
  • The registry for the domain name must support DNSSEC for the domain name's extension.
  • The domain name must use custom nameservers, and you have control over signing your zones. That is, it is not hosted, parked, or forwarding with us.
  • The domain name must be in active status, not flagged by the registry, and have valid Whois data.

 

This serverfault article documents a very similar problem that another user encountered, and cites a backend issue at GoDaddy as the root cause, but doesn't mention how their situation was resolved, and I am still experiencing exactly the issue they describe. I'd really appreciate a solution or some insight as to an alternative.

8 REPLIES 8
Retired
Not applicable

@Retired I have already followed those steps (that was one of the original web pages I looked at before I encountered problems) and still get the email a few minutes later saying that it was unsuccessful.

Retired
Not applicable

'  '   @J15t98J,

 

...and have you contacted support as it suggests in the email? What did they say?

@Retired their suggestions are documented in my original post (the bit re. two members of staff)

Retired
Not applicable

Hi @J15t98J,

 

Just out of curiosity I have also read other mention to premium DNS, and it would be interesting to know your domain name to run a few basic checks.

@Retired j15t98j.co.uk

Retired
Not applicable

Yes @J15t98J,

 

Your servers need to be with godaddy as support suggested, they are with cloudflare instead. I think this is what support may have been trying to explain.

 

So either change your DNS's to godaddy to apply DNSSEC here, or..... perhaps :

https://www.cloudflare.com/dns/dnssec/universal-dnssec/

@Retired as above - from the GoDaddy support article, explicitly saying that you need to have it hosted elsewhere:

 

Spoiler
  • The domain name must use custom nameservers, and you have control over signing your zones. That is, it is not hosted, parked, or forwarding with us.

 

Cloudflare also supports this - they wouldn't give me a DS record to add to GoDaddy if they knew it wouldn't work:

Spoiler
What are the steps to enable DNSSEC?

There are two steps to enabling DNSSEC. After you enable DNSSEC at Cloudflare, you need to also add a DNS record called a DS to your registrar. The DS helps DNS resolvers verify the public key used to sign your DNS records. We keep instructions for adding DS records to common registrars on our knowledge base. In the event that your registrar or registry does not support DNSSEC, there are several options open to you which are outlined in our knowledge base.