# DNSSEC ## DNSSEC Details **get** `/zones/{zone_id}/dnssec` Details about DNSSEC status and configuration. ### Path Parameters - `zone_id: string` Identifier. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional DNSSEC` - `algorithm: optional string` Algorithm key code. - `digest: optional string` Digest hash. - `digest_algorithm: optional string` Type of digest algorithm. - `digest_type: optional string` Coded type for digest algorithm. - `dnssec_multi_signer: optional boolean` If true, multi-signer DNSSEC is enabled on the zone, allowing multiple providers to serve a DNSSEC-signed zone at the same time. This is required for DNSKEY records (except those automatically generated by Cloudflare) to be added to the zone. See [Multi-signer DNSSEC](https://developers.cloudflare.com/dns/dnssec/multi-signer-dnssec/) for details. - `dnssec_presigned: optional boolean` If true, allows Cloudflare to transfer in a DNSSEC-signed zone including signatures from an external provider, without requiring Cloudflare to sign any records on the fly. Note that this feature has some limitations. See [Cloudflare as Secondary](https://developers.cloudflare.com/dns/zone-setups/zone-transfers/cloudflare-as-secondary/setup/#dnssec) for details. - `dnssec_use_nsec3: optional boolean` If true, enables the use of NSEC3 together with DNSSEC on the zone. Combined with setting dnssec_presigned to true, this enables the use of NSEC3 records when transferring in from an external provider. If dnssec_presigned is instead set to false (default), NSEC3 records will be generated and signed at request time. See [DNSSEC with NSEC3](https://developers.cloudflare.com/dns/dnssec/enable-nsec3/) for details. - `ds: optional string` Full DS record. - `flags: optional number` Flag for DNSSEC record. - `key_tag: optional number` Code for key tag. - `key_type: optional string` Algorithm key type. - `modified_on: optional string` When DNSSEC was last modified. - `public_key: optional string` Public key for DS record. - `status: optional "active" or "pending" or "disabled" or 2 more` Status of DNSSEC, based on user-desired state and presence of necessary records. - `"active"` - `"pending"` - `"disabled"` - `"pending-disabled"` - `"error"` ### Example ```http curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "algorithm": "13", "digest": "48E939042E82C22542CB377B580DFDC52A361CEFDC72E7F9107E2B6BD9306A45", "digest_algorithm": "SHA256", "digest_type": "2", "dnssec_multi_signer": false, "dnssec_presigned": true, "dnssec_use_nsec3": false, "ds": "example.com. 3600 IN DS 16953 13 2 48E939042E82C22542CB377B580DFDC52A361CEFDC72E7F9107E2B6BD9306A45", "flags": 257, "key_tag": 42, "key_type": "ECDSAP256SHA256", "modified_on": "2014-01-01T05:20:00Z", "public_key": "oXiGYrSTO+LSCJ3mohc8EP+CzF9KxBj8/ydXJ22pKuZP3VAC3/Md/k7xZfz470CoRyZJ6gV6vml07IC3d8xqhA==", "status": "active" } } ``` ## Edit DNSSEC Status **patch** `/zones/{zone_id}/dnssec` Enable or disable DNSSEC. ### Path Parameters - `zone_id: string` Identifier. ### Body Parameters - `dnssec_multi_signer: optional boolean` If true, multi-signer DNSSEC is enabled on the zone, allowing multiple providers to serve a DNSSEC-signed zone at the same time. This is required for DNSKEY records (except those automatically generated by Cloudflare) to be added to the zone. See [Multi-signer DNSSEC](https://developers.cloudflare.com/dns/dnssec/multi-signer-dnssec/) for details. - `dnssec_presigned: optional boolean` If true, allows Cloudflare to transfer in a DNSSEC-signed zone including signatures from an external provider, without requiring Cloudflare to sign any records on the fly. Note that this feature has some limitations. See [Cloudflare as Secondary](https://developers.cloudflare.com/dns/zone-setups/zone-transfers/cloudflare-as-secondary/setup/#dnssec) for details. - `dnssec_use_nsec3: optional boolean` If true, enables the use of NSEC3 together with DNSSEC on the zone. Combined with setting dnssec_presigned to true, this enables the use of NSEC3 records when transferring in from an external provider. If dnssec_presigned is instead set to false (default), NSEC3 records will be generated and signed at request time. See [DNSSEC with NSEC3](https://developers.cloudflare.com/dns/dnssec/enable-nsec3/) for details. - `status: optional "active" or "disabled"` Status of DNSSEC, based on user-desired state and presence of necessary records. - `"active"` - `"disabled"` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional DNSSEC` - `algorithm: optional string` Algorithm key code. - `digest: optional string` Digest hash. - `digest_algorithm: optional string` Type of digest algorithm. - `digest_type: optional string` Coded type for digest algorithm. - `dnssec_multi_signer: optional boolean` If true, multi-signer DNSSEC is enabled on the zone, allowing multiple providers to serve a DNSSEC-signed zone at the same time. This is required for DNSKEY records (except those automatically generated by Cloudflare) to be added to the zone. See [Multi-signer DNSSEC](https://developers.cloudflare.com/dns/dnssec/multi-signer-dnssec/) for details. - `dnssec_presigned: optional boolean` If true, allows Cloudflare to transfer in a DNSSEC-signed zone including signatures from an external provider, without requiring Cloudflare to sign any records on the fly. Note that this feature has some limitations. See [Cloudflare as Secondary](https://developers.cloudflare.com/dns/zone-setups/zone-transfers/cloudflare-as-secondary/setup/#dnssec) for details. - `dnssec_use_nsec3: optional boolean` If true, enables the use of NSEC3 together with DNSSEC on the zone. Combined with setting dnssec_presigned to true, this enables the use of NSEC3 records when transferring in from an external provider. If dnssec_presigned is instead set to false (default), NSEC3 records will be generated and signed at request time. See [DNSSEC with NSEC3](https://developers.cloudflare.com/dns/dnssec/enable-nsec3/) for details. - `ds: optional string` Full DS record. - `flags: optional number` Flag for DNSSEC record. - `key_tag: optional number` Code for key tag. - `key_type: optional string` Algorithm key type. - `modified_on: optional string` When DNSSEC was last modified. - `public_key: optional string` Public key for DS record. - `status: optional "active" or "pending" or "disabled" or 2 more` Status of DNSSEC, based on user-desired state and presence of necessary records. - `"active"` - `"pending"` - `"disabled"` - `"pending-disabled"` - `"error"` ### Example ```http curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "dnssec_presigned": true, "status": "active" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "algorithm": "13", "digest": "48E939042E82C22542CB377B580DFDC52A361CEFDC72E7F9107E2B6BD9306A45", "digest_algorithm": "SHA256", "digest_type": "2", "dnssec_multi_signer": false, "dnssec_presigned": true, "dnssec_use_nsec3": false, "ds": "example.com. 3600 IN DS 16953 13 2 48E939042E82C22542CB377B580DFDC52A361CEFDC72E7F9107E2B6BD9306A45", "flags": 257, "key_tag": 42, "key_type": "ECDSAP256SHA256", "modified_on": "2014-01-01T05:20:00Z", "public_key": "oXiGYrSTO+LSCJ3mohc8EP+CzF9KxBj8/ydXJ22pKuZP3VAC3/Md/k7xZfz470CoRyZJ6gV6vml07IC3d8xqhA==", "status": "active" } } ``` ## Delete DNSSEC records **delete** `/zones/{zone_id}/dnssec` Delete DNSSEC. ### Path Parameters - `zone_id: string` Identifier. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": "" } ``` ## Domain Types ### DNSSEC - `DNSSEC = object { algorithm, digest, digest_algorithm, 11 more }` - `algorithm: optional string` Algorithm key code. - `digest: optional string` Digest hash. - `digest_algorithm: optional string` Type of digest algorithm. - `digest_type: optional string` Coded type for digest algorithm. - `dnssec_multi_signer: optional boolean` If true, multi-signer DNSSEC is enabled on the zone, allowing multiple providers to serve a DNSSEC-signed zone at the same time. This is required for DNSKEY records (except those automatically generated by Cloudflare) to be added to the zone. See [Multi-signer DNSSEC](https://developers.cloudflare.com/dns/dnssec/multi-signer-dnssec/) for details. - `dnssec_presigned: optional boolean` If true, allows Cloudflare to transfer in a DNSSEC-signed zone including signatures from an external provider, without requiring Cloudflare to sign any records on the fly. Note that this feature has some limitations. See [Cloudflare as Secondary](https://developers.cloudflare.com/dns/zone-setups/zone-transfers/cloudflare-as-secondary/setup/#dnssec) for details. - `dnssec_use_nsec3: optional boolean` If true, enables the use of NSEC3 together with DNSSEC on the zone. Combined with setting dnssec_presigned to true, this enables the use of NSEC3 records when transferring in from an external provider. If dnssec_presigned is instead set to false (default), NSEC3 records will be generated and signed at request time. See [DNSSEC with NSEC3](https://developers.cloudflare.com/dns/dnssec/enable-nsec3/) for details. - `ds: optional string` Full DS record. - `flags: optional number` Flag for DNSSEC record. - `key_tag: optional number` Code for key tag. - `key_type: optional string` Algorithm key type. - `modified_on: optional string` When DNSSEC was last modified. - `public_key: optional string` Public key for DS record. - `status: optional "active" or "pending" or "disabled" or 2 more` Status of DNSSEC, based on user-desired state and presence of necessary records. - `"active"` - `"pending"` - `"disabled"` - `"pending-disabled"` - `"error"` ### DNSSEC Delete Response - `DNSSECDeleteResponse = string`