[Opendnssec-user] DS records at Godaddy with .co tld

Nix Related pcfnix at gmail.com
Wed Apr 8 15:37:52 UTC 2015

I have successfully implemented opendnssec. I have multiple domains at
GoDaddy and while all other TLDs work after inputting the results from

ods-ksmutil key ds-seen -z domain.co -x 12345

the domains with the .co TLD have an extra input field which is required.

Instead of the usual

Key Tag:
Digest Type:

There is one more required field called Key Data Alg in which the tool-tip
"The key data algorithm determines the method used for encrypting the
public key. Values must be an integer between 0 and 255 and must match the

Over at this link


In the comments section at the bottom, Christian Elsen says:

"Here is what these fields mean along with possible values:
– flags: 256 for Zone Signing Keys (ZSK), 257 for Key Signing Keys (KSK)
You want 257 for the long-term Key Signing Key in this case
– protocol: always 3 to signify DNSSEC
– key data alg: 5 for RSA with SHA1 (currently the only specified choice)
– public key: base64 format of the public key (either ZSK or KSK)"


"You can also lookup the correct values via “dig type48 examples.com”
against your domain. "

In the specifics of
titled About Self-Managed DNSSEC it seems to be missing the information
regarding this required Key Data Alg: input field in their DS form.

"ods-ksmutil key export --zone domain.co --verbose" reveals:

domain.co. 3600    IN      DNSKEY  257 3 8
;{id = 65105 (ksk), size = 2048b}

GoDaddy's support was of no help.

The possibilities for Key Data Alg: are 1,2,3,5,6,7,8,10,12

I tried all of them and received a momentary failure email.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20150408/8b52040e/attachment.htm>

More information about the Opendnssec-user mailing list