diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e4955195b..3f65c4e39 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -154,5 +154,5 @@ jobs:
     - name: Run integration tests for ${{ matrix.provider }} provider
       if: env.CAN_CONTINUE == 'yes'
       working-directory: integrationTest
-      run: go test -v -verbose -provider ${{ matrix.provider }}
+      run: go test -timeout 20m -v -verbose -provider ${{ matrix.provider }}
 ...
diff --git a/integrationTest/integration_test.go b/integrationTest/integration_test.go
index bb7217926..03c01f8c8 100644
--- a/integrationTest/integration_test.go
+++ b/integrationTest/integration_test.go
@@ -1067,43 +1067,54 @@ func makeTests(t *testing.T) []*TestGroup {
 
 		testgroup("DS",
 			requires(providers.CanUseDS),
-			tc("create DS", ds("@", 1, 13, 1, "ADIGEST")),
-			tc("modify field 1", ds("@", 65535, 13, 1, "ADIGEST")),
-			tc("modify field 3", ds("@", 65535, 13, 2, "ADIGEST")),
-			tc("modify field 2+3", ds("@", 65535, 1, 4, "ADIGEST")),
-			tc("modify field 2", ds("@", 65535, 3, 4, "ADIGEST")),
-			tc("modify field 2", ds("@", 65535, 254, 4, "ADIGEST")),
-			tc("delete 1, create 1", ds("foo", 2, 13, 4, "ADIGEST")),
-			tc("add 2 more DS", ds("foo", 2, 13, 4, "ADIGEST"), ds("@", 65535, 5, 4, "ADIGEST"), ds("@", 65535, 253, 4, "ADIGEST")),
+			// Use a valid digest value here.  Some providers verify that a valid digest is in use.
+			// RFC 4034 s5.1.4 specifies SHA1 as the only digest algo at present, i.e. only hexadecimal values currently usable.
+			tc("DS create", ds("@", 1, 13, 1, "da39a3ee5e6b4b0d3255bfef95601890afd80709")),
+			tc("DS change", ds("@", 8857, 8, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("DS change f1", ds("@", 3, 8, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("DS change f2", ds("@", 3, 13, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("DS change f3+4", ds("@", 3, 13, 1, "da39a3ee5e6b4b0d3255bfef95601890afd80709")),
+			tc("DS delete 1, create child", ds("another-child", 44, 13, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("add 2 more DS",
+				ds("another-child", 44, 13, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44"),
+				ds("another-child", 1501, 13, 1, "ee02c885b5b4ed64899f2d43eb2b8e6619bdb50c"),
+				ds("another-child", 1502, 8, 2, "2fa14f53e6b15cac9ac77846c7be87862c2a7e9ec0c6cea319db939317f126ed"),
+				ds("another-child", 65535, 13, 2, "2fa14f53e6b15cac9ac77846c7be87862c2a7e9ec0c6cea319db939317f126ed"),
+			),
+			// These are the same as below.
+			tc("DSchild create", ds("child", 1, 13, 1, "da39a3ee5e6b4b0d3255bfef95601890afd80709")),
+			tc("DSchild change", ds("child", 8857, 8, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("DSchild change f1", ds("child", 3, 8, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("DSchild change f2", ds("child", 3, 13, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("DSchild change f3+4", ds("child", 3, 13, 1, "da39a3ee5e6b4b0d3255bfef95601890afd80709")),
+			tc("DSchild delete 1, create child", ds("another-child", 44, 13, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
 		),
 
 		testgroup("DS (children only)",
 			requires(providers.CanUseDSForChildren),
 			not("CLOUDNS", "CLOUDFLAREAPI"),
-			// Use a valid digest value here, because GCLOUD (which implements this capability) verifies
-			// the value passed in is a valid digest. RFC 4034, s5.1.4 specifies SHA1 as the only digest
-			// algo at present, i.e. only hexadecimal values currently usable.
-			tc("create DS", ds("child", 1, 13, 1, "0123456789ABCDEF")),
-			tc("modify field 1", ds("child", 65535, 13, 1, "0123456789ABCDEF")),
-			tc("modify field 3", ds("child", 65535, 13, 2, "0123456789ABCDEF")),
-			tc("modify field 2+3", ds("child", 65535, 1, 4, "0123456789ABCDEF")),
-			tc("modify field 2", ds("child", 65535, 3, 4, "0123456789ABCDEF")),
-			tc("modify field 2", ds("child", 65535, 254, 4, "0123456789ABCDEF")),
-			tc("delete 1, create 1", ds("another-child", 2, 13, 4, "0123456789ABCDEF")),
-			tc("add 2 more DS",
-				ds("another-child", 2, 13, 4, "0123456789ABCDEF"),
-				ds("another-child", 65535, 5, 4, "0123456789ABCDEF"),
-				ds("another-child", 65535, 253, 4, "0123456789ABCDEF"),
+			// Use a valid digest value here.  Some providers verify that a valid digest is in use.
+			// RFC 4034 s5.1.4 specifies SHA1 as the only digest algo at present, i.e. only hexadecimal values currently usable.
+			tc("DSchild create", ds("child", 1, 13, 1, "da39a3ee5e6b4b0d3255bfef95601890afd80709")),
+			tc("DSchild change", ds("child", 8857, 8, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("DSchild change f1", ds("child", 3, 8, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("DSchild change f2", ds("child", 3, 13, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("DSchild change f3+4", ds("child", 3, 13, 1, "da39a3ee5e6b4b0d3255bfef95601890afd80709")),
+			tc("DSchild delete 1, create child", ds("another-child", 44, 13, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44")),
+			tc("add 2 more DSchild",
+				ds("another-child", 44, 13, 2, "4b9b6b073edd97feb5bc12dc4e1b32d2c6af7ae23a293936ceb87bb10494ec44"),
+				ds("another-child", 1501, 13, 1, "ee02c885b5b4ed64899f2d43eb2b8e6619bdb50c"),
+				ds("another-child", 1502, 8, 2, "2fa14f53e6b15cac9ac77846c7be87862c2a7e9ec0c6cea319db939317f126ed"),
+				ds("another-child", 65535, 13, 2, "2fa14f53e6b15cac9ac77846c7be87862c2a7e9ec0c6cea319db939317f126ed"),
 			),
 		),
 
 		testgroup("DS (children only) CLOUDNS",
 			requires(providers.CanUseDSForChildren),
 			only("CLOUDNS", "CLOUDFLAREAPI"),
-			// Use a valid digest value here, because GCLOUD (which implements this capability) verifies
-			// the value passed in is a valid digest. RFC 4034, s5.1.4 specifies SHA1 as the only digest
-			// algo at present, i.e. only hexadecimal values currently usable.
-			// Cloudns requires NS  Record before creating DS Record.
+			// Cloudns requires NS records before creating DS Record. Verify
+			// they are done in the right order, even if they are listed in
+			// the wrong order in dnsconfig.js.
 			tc("create DS",
 				// we test that provider correctly handles creating NS first by reversing the entries here
 				ds("child", 35632, 13, 1, "1E07663FF507A40874B8605463DD41DE482079D6"),
diff --git a/providers/gandiv5/gandi_v5Provider.go b/providers/gandiv5/gandi_v5Provider.go
index a34a71e5e..772cd3a23 100644
--- a/providers/gandiv5/gandi_v5Provider.go
+++ b/providers/gandiv5/gandi_v5Provider.go
@@ -47,7 +47,8 @@ func init() {
 var features = providers.DocumentationNotes{
 	providers.CanUseAlias:            providers.Can("Only on the bare domain. Otherwise CNAME will be substituted"),
 	providers.CanUseCAA:              providers.Can(),
-	providers.CanUseDS:               providers.Can(),
+	providers.CanUseDS:               providers.Cannot("Only supports DS records at the apex"),
+	providers.CanUseDSForChildren:    providers.Can(),
 	providers.CanUsePTR:              providers.Can(),
 	providers.CanUseSRV:              providers.Can(),
 	providers.CanUseSSHFP:            providers.Can(),