API Reference

DNS

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

DNSSEC

resource cloudflare_zone_dnssec

required Expand Collapse

zone_id: String

Identifier.

optional Expand Collapse

dnssec_multi_signer?: Bool

If true, multi-signer DNSSEC is enabled on the zone, allowing multiple providers to serve a DNSSEC-signed zone at the same time. This is required for DNSKEY records (except those automatically generated by Cloudflare) to be added to the zone.

See Multi-signer DNSSEC for details.

dnssec_presigned?: Bool

If true, allows Cloudflare to transfer in a DNSSEC-signed zone including signatures from an external provider, without requiring Cloudflare to sign any records on the fly.

Note that this feature has some limitations. See Cloudflare as Secondary for details.

dnssec_use_nsec3?: Bool

If true, enables the use of NSEC3 together with DNSSEC on the zone. Combined with setting dnssec_presigned to true, this enables the use of NSEC3 records when transferring in from an external provider. If dnssec_presigned is instead set to false (default), NSEC3 records will be generated and signed at request time.

See DNSSEC with NSEC3 for details.

status?: String

Status of DNSSEC, based on user-desired state and presence of necessary records.

computed Expand Collapse

id: String

Identifier.

algorithm: String

Algorithm key code.

digest: String

Digest hash.

digest_algorithm: String

Type of digest algorithm.

digest_type: String

Coded type for digest algorithm.

ds: String

Full DS record.

flags: Float64

Flag for DNSSEC record.

key_tag: Float64

Code for key tag.

key_type: String

Algorithm key type.

modified_on: Time

When DNSSEC was last modified.

public_key: String

Public key for DS record.

cloudflare_zone_dnssec

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zone_dnssec" "example_zone_dnssec" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  dnssec_multi_signer = false
  dnssec_presigned = true
  dnssec_use_nsec3 = false
  status = "active"
}

data cloudflare_zone_dnssec

required Expand Collapse

zone_id: String

Identifier.

computed Expand Collapse

id: String

Identifier.

algorithm: String

Algorithm key code.

digest: String

Digest hash.

digest_algorithm: String

Type of digest algorithm.

digest_type: String

Coded type for digest algorithm.

dnssec_multi_signer: Bool

If true, multi-signer DNSSEC is enabled on the zone, allowing multiple providers to serve a DNSSEC-signed zone at the same time. This is required for DNSKEY records (except those automatically generated by Cloudflare) to be added to the zone.

See Multi-signer DNSSEC for details.

dnssec_presigned: Bool

If true, allows Cloudflare to transfer in a DNSSEC-signed zone including signatures from an external provider, without requiring Cloudflare to sign any records on the fly.

Note that this feature has some limitations. See Cloudflare as Secondary for details.

dnssec_use_nsec3: Bool

If true, enables the use of NSEC3 together with DNSSEC on the zone. Combined with setting dnssec_presigned to true, this enables the use of NSEC3 records when transferring in from an external provider. If dnssec_presigned is instead set to false (default), NSEC3 records will be generated and signed at request time.

See DNSSEC with NSEC3 for details.

ds: String

Full DS record.

flags: Float64

Flag for DNSSEC record.

key_tag: Float64

Code for key tag.

key_type: String

Algorithm key type.

modified_on: Time

When DNSSEC was last modified.

public_key: String

Public key for DS record.

status: String

Status of DNSSEC, based on user-desired state and presence of necessary records.

cloudflare_zone_dnssec

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zone_dnssec" "example_zone_dnssec" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
}