Edit DNSSEC Status

PATCH/zones/{zone_id}/dnssec

Enable or disable DNSSEC.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

DNS Write

Path ParametersExpand Collapse

zone_id: string

Identifier.

maxLength32

Body ParametersJSONExpand Collapse

dnssec_multi_signer: optional boolean

If true, multi-signer DNSSEC is enabled on the zone, allowing multiple providers to serve a DNSSEC-signed zone at the same time. This is required for DNSKEY records (except those automatically generated by Cloudflare) to be added to the zone.

See Multi-signer DNSSEC for details.

dnssec_presigned: optional boolean

If true, allows Cloudflare to transfer in a DNSSEC-signed zone including signatures from an external provider, without requiring Cloudflare to sign any records on the fly.

Note that this feature has some limitations. See Cloudflare as Secondary for details.

dnssec_use_nsec3: optional boolean

If true, enables the use of NSEC3 together with DNSSEC on the zone. Combined with setting dnssec_presigned to true, this enables the use of NSEC3 records when transferring in from an external provider. If dnssec_presigned is instead set to false (default), NSEC3 records will be generated and signed at request time.

See DNSSEC with NSEC3 for details.

status: optional "active" or "disabled"

Status of DNSSEC, based on user-desired state and presence of necessary records.

One of the following:

"active"

"disabled"

ReturnsExpand Collapse

errors: array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

messages: array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

success: true

Whether the API call was successful.

result: optional DNSSEC { algorithm, digest, digest_algorithm, 11 more }

algorithm: optional string

Algorithm key code.

digest: optional string

Digest hash.

digest_algorithm: optional string

Type of digest algorithm.

digest_type: optional string

Coded type for digest algorithm.

dnssec_multi_signer: optional boolean

See Multi-signer DNSSEC for details.

dnssec_presigned: optional boolean

If true, allows Cloudflare to transfer in a DNSSEC-signed zone including signatures from an external provider, without requiring Cloudflare to sign any records on the fly.

Note that this feature has some limitations. See Cloudflare as Secondary for details.

dnssec_use_nsec3: optional boolean

See DNSSEC with NSEC3 for details.

ds: optional string

Full DS record.

flags: optional number

Flag for DNSSEC record.

key_tag: optional number

Code for key tag.

key_type: optional string

Algorithm key type.

modified_on: optional string

When DNSSEC was last modified.

formatdate-time

public_key: optional string

Public key for DS record.

status: optional "active" or "pending" or "disabled" or 2 more

Status of DNSSEC, based on user-desired state and presence of necessary records.

One of the following:

"active"

"pending"

"disabled"

"pending-disabled"

"error"

Edit DNSSEC Status

curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec \
    -X PATCH \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
    -d '{
          "dnssec_presigned": true,
          "status": "active"
        }'

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "algorithm": "13",
    "digest": "48E939042E82C22542CB377B580DFDC52A361CEFDC72E7F9107E2B6BD9306A45",
    "digest_algorithm": "SHA256",
    "digest_type": "2",
    "dnssec_multi_signer": false,
    "dnssec_presigned": true,
    "dnssec_use_nsec3": false,
    "ds": "example.com. 3600 IN DS 16953 13 2 48E939042E82C22542CB377B580DFDC52A361CEFDC72E7F9107E2B6BD9306A45",
    "flags": 257,
    "key_tag": 42,
    "key_type": "ECDSAP256SHA256",
    "modified_on": "2014-01-01T05:20:00Z",
    "public_key": "oXiGYrSTO+LSCJ3mohc8EP+CzF9KxBj8/ydXJ22pKuZP3VAC3/Md/k7xZfz470CoRyZJ6gV6vml07IC3d8xqhA==",
    "status": "active"
  }
}

Returns Examples

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "algorithm": "13",
    "digest": "48E939042E82C22542CB377B580DFDC52A361CEFDC72E7F9107E2B6BD9306A45",
    "digest_algorithm": "SHA256",
    "digest_type": "2",
    "dnssec_multi_signer": false,
    "dnssec_presigned": true,
    "dnssec_use_nsec3": false,
    "ds": "example.com. 3600 IN DS 16953 13 2 48E939042E82C22542CB377B580DFDC52A361CEFDC72E7F9107E2B6BD9306A45",
    "flags": 257,
    "key_tag": 42,
    "key_type": "ECDSAP256SHA256",
    "modified_on": "2014-01-01T05:20:00Z",
    "public_key": "oXiGYrSTO+LSCJ3mohc8EP+CzF9KxBj8/ydXJ22pKuZP3VAC3/Md/k7xZfz470CoRyZJ6gV6vml07IC3d8xqhA==",
    "status": "active"
  }
}