diff --git a/management/dns_update.py b/management/dns_update.py
index 0aae94cf..d3ef2cbc 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -502,11 +502,12 @@ zone:
 
 def dnssec_choose_algo(domain, env):
 	if '.' in domain and domain.rsplit('.')[-1] in \
-		("email", "guide", "fund"):
+		("email", "guide", "fund", "be"):
 		# At GoDaddy, RSASHA256 is the only algorithm supported
 		# for .email and .guide.
 		# A variety of algorithms are supported for .fund. This
 		# is preferred.
+		# Gandi tells me that .be does not support RSASHA1-NSEC3-SHA1
 		return "RSASHA256"
 
 	# For any domain we were able to sign before, don't change the algorithm