DNS host provides a DS record, registrar refuses or asks for different fields
The DS record bridges registrar (parent zone) and DNS host (child zone) for DNSSEC. Each registrar asks for it in their own form: key tag, algorithm, digest type, digest. One wrong field and the chain does not validate.
Try this first
- 1Get the full DS record from the DNS host: key tag (a number), algorithm (8=RSA-SHA256, 13=ECDSA-P256), digest type (1=SHA1, 2=SHA256), and the digest string itself.
- 2Fill it in at the registrar: TransIP and Versio have web forms with those four fields, GoDaddy and others accept a BIND-format DS string.
- 3Some registrars require the DNSKEY (the key itself, not the digest). The DNS host provides that too.
- 4Wait at least 48 hours after submit, some TLD registries (SIDN for .nl) have publication time before the DS lives in the parent zone.
- 5Test with dnsviz.net or dnssec-analyzer.verisignlabs.com that the chain is valid before touching anything else in DNS.
When to bring us in
If you have a DS record at the registrar that no longer matches the zone keys, we can guide the rollover so resolvers do not mark the zone as bogus.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.