diff --git a/management/dns_update.py b/management/dns_update.py
index ba9a5964..3edbef03 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -511,8 +511,12 @@ zone:
 ########################################################################
 
 def dnssec_choose_algo(domain, env):
-	if domain.endswith(".email") or domain.endswith(".guide"):
-		# At least at GoDaddy, this is the only algorithm supported.
+	if '.' in domain and domain.rsplit('.')[-1] in \
+		("email", "guide", "fund"):
+		# At GoDaddy, RSASHA256 is the only algorithm supported
+		# for .email and .guide.
+		# A variety of algorithms are supported for .fund. This
+		# is preferred.
 		return "RSASHA256"
 
 	# For any domain we were able to sign before, don't change the algorithm
diff --git a/setup/dns.sh b/setup/dns.sh
index b55e2587..ff6abfe2 100755
--- a/setup/dns.sh
+++ b/setup/dns.sh
@@ -52,6 +52,10 @@ mkdir -p "$STORAGE_ROOT/dns/dnssec";
 #
 #  * .email
 #  * .guide
+#
+# Supports `RSASHA256` (and defaulting to this)
+#
+#  * .fund
 
 FIRST=1 #NODOC
 for algo in RSASHA1-NSEC3-SHA1 RSASHA256; do