I'm trying to self-manage DNSSEC for my domain, which is registered with GoDaddy and whose DNS zone file is with Cloudflare. Cloudflare has provided all the required fields to submit the DS record on GoDaddy, but every time I submit it I get an email from GoDaddy a few minutes later saying that my changes were unsuccessful, followed only by "please contact support."
I've spoken to two different members of staff on the phone and neither seemed to even know what DNSSEC is, let alone how one sets it up. I've also been told several times that I need to have my zone file with GoDaddy in order to use DNSSEC, or else require the Premium DNS service, but the relevant GoDaddy support article suggests that the Premium DNS is optional, and states:
You can activate DNSSEC security information for your domain name under the following conditions:
This serverfault article documents a very similar problem that another user encountered, and cites a backend issue at GoDaddy as the root cause, but doesn't mention how their situation was resolved, and I am still experiencing exactly the issue they describe. I'd really appreciate a solution or some insight as to an alternative.
@Retired I have already followed those steps (that was one of the original web pages I looked at before I encountered problems) and still get the email a few minutes later saying that it was unsuccessful.
Just out of curiosity I have also read other mention to premium DNS, and it would be interesting to know your domain name to run a few basic checks.
Your servers need to be with godaddy as support suggested, they are with cloudflare instead. I think this is what support may have been trying to explain.
So either change your DNS's to godaddy to apply DNSSEC here, or..... perhaps :
@Retired as above - from the GoDaddy support article, explicitly saying that you need to have it hosted elsewhere:
Cloudflare also supports this - they wouldn't give me a DS record to add to GoDaddy if they knew it wouldn't work:
There are two steps to enabling DNSSEC. After you enable DNSSEC at Cloudflare, you need to also add a DNS record called a DS to your registrar. The DS helps DNS resolvers verify the public key used to sign your DNS records. We keep instructions for adding DS records to common registrars on our knowledge base. In the event that your registrar or registry does not support DNSSEC, there are several options open to you which are outlined in our knowledge base.