DNSSEC settings

I'm trying to add DNSSEC and it's different than I'm used to:
1) At Gandi, I need: Flags, Algorithm, and Public Key
2) At Vultr, I see: Record Type, Key Type, Algorithm, Digest Type, and Digest. Below that is the DNSSEC Record.

What flag should I use? Gandi's choices are 256 (ZSK), and 257 (KSK)
Is the Digest what I should be using for Public Key? When I enter the info, Gandi generates its own Digest (SHA256) that doesn't match Vultr's Digest.
I haven't had to enter two DS record sets of data before. I need both?


  • Well, probably you have already found an answer now, but I'm posting anyway the answer here just in case someone else is interested.

    After having activated DNSSEC in zone settings of the Vultr control panel, you'll see 2 DS records and 1 DNSKEY record.

    In the DNSKEY record, you can see:
    - the flags set to 257 (256 for the zone key and 1 for the secure entry point)
    - the algorithm set to 13 (ECDSA Curve P-256 with SHA-256)
    - and following the algorithm it's the public key itself.

    So, in the gandi DNSSEC panel, you have to use:
    - flags 257
    - algorithm 13
    - and then paste your public key

    You'll then see in the Gandi panel that the computed digest is the same as the one in the DS record of the Vultr panel.

    Wait a bit for the DNS propagation to happen, and then verify that DNSSEC is properly setup for your domain with one of the many available tools: https://www.icann.org/resources/pages/tools-2012-02-25-en

  • No, I didn't find an answer, so thanks for this! I switched to a Gandi name server, but I'll give this a try so I can switch back so I can use the Vanity Name Server feature.
  • Hey everyone,

    I have been studying this issue for a long time,
    Finally, my final solution is to add DNSSEC using gandi's latest console V5.gandi.net.
Sign In or Register to comment.