DNSSEC - Google Cloud and Cloudflare - Which DS Record to give to Registrar?

I have managed to really confuse myself here with enabling DNSSEC for the first time ever.

I am using google cloud compute engine running a WordPress website for hosting - my domain registrar has its name servers set to cloudflare which then routes back to google cloud dns (at least that's how I assume it works)

as i am using both google cloud dns and also cloudflare and am trying to enable DNSSEC - I currently have it enabled on both GC and also Cloudflare (and I'm not sure I should have it enabled on both but have it as that at the moment) it has given me two separate DS records to give to my domain registrar (One from GC and one from CF - and of course they are different)

My question is really - which DS record should I give my domain registrar - GC or CF? - and also is it safe or advised to have both set to on - and if not which one should I leave on and which one should i have set to off?

also if i can / should leave both on - should I then ask the registrar to make two separate DS records for them both?

Thank you for any help you can give me - and if you need any extra info then feel free to ask me and I will do my best to provide it.

Hopefully someone knows the answer to this - as I feel like I may have got myself stuck in a bit of a rabbit hole with this one.

So far I have only given the Cloudflare DS record to the registrar and am currently awaiting them to add it (as that's the only way to add DS records with them - have them do it manually from their end).


Images Below have had sensitive info removed...

My domain is: paypcns.co.uk

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: google cloud (Also using cloudflare for CDN)

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Image 2 of what is happining...

Image 3 of what is happining...

Image 4 of what is happining...

Cloudflare is your actual DNS host, so you should take the DS records that Cloudflare gave you and add them in 123-reg (or whoever your registrar is).

I don't think that Google Cloud is hosting your DNS, unless you have some subdelegation that I can't see due to the redaction of your screenshots.


Thank you for your help - I gave them the cloudflare one and it is all working now - and CF shows me as DNSSEC enabled :slight_smile:


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.