DNSSEC - Google Cloud and Cloudflare - Which DS Record do I give to the Registrar?

I have managed to really confuse myself here with enabling DNSSEC for the first time ever.

I am using Google Cloud compute engine running a WordPress website for hosting. My domain registrar has its name servers set to Cloudflare which then routes back to Google Cloud DNS (at least that's how I assume it works).

As I am using both Google Cloud DNS and Cloudflare I'm trying to enable DNSSEC. Currently I have it enabled on both GC and also Cloudflare (and I'm not sure I should have it enabled on both but have it as that at the moment) it has given me two separate DS records to give to my domain registrar (One from GC and one from CF, of course they are different).

My question is, which DS record should I give to my domain registrar - GC or CF? Also, is it safe or advised to have both set to on and if not which one should I leave on and which one should I set to off?

Also, if I can / should leave both on - should I then ask the registrar to make two separate DS records for them both?

So far I have only given the Cloudflare DS record to the registrar and am currently awaiting them adding it (as that's the only way to add DS records with them).


Solution 1:

There's no such thing as "routes back" with DNS. The delegation signer DS records (RFC 4034, 5) have to be for the authoritative servers listed at the parent zone. The secure delegation must match the NS delegation.

Then, example.com could delegate control over sub.example.com with another set of NS records. In this case, the example.com might have another set of DS records, too, but the com should only have the DS records for the zone example.com.