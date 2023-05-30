DNSSEC states
This page describes different DNSSEC states and how they relate to the responses you get from the DNSSEC details API endpoint.
|State
|API response
|Description
|Pending
"status":"pending"
"modified_on":<TIME_STAMP>
|DNSSEC has been enabled but the Cloudflare DS record has not been added at the registrar.
|Active
"status":"active"
"modified_on":<TIME_STAMP>
|DNSSEC has been enabled and the Cloudlfare DS record is present at the registrar.
|Pending-disabled
"status":"pending-disabled"
"modified_on":<TIME_STAMP>
|DNSSEC has been disabled but the Cloudflare DS record is still added at the registrar.
|Disabled
"status":"disabled"
"modified_on":<TIME_STAMP>
|DNSSEC has been disabled and the Cloudflare DS record has been removed from the registrar.
|Deleted
"status":"disabled"
"modified_on": null
|DNSSEC has never been enabled for the zone or DNSSEC has been disabled and then deleted using the Delete DNSSEC records endpoint.
In both
pending and
active states, Cloudflare signs the zone and responds with
RRSIG,
NSEC,
DNSKEY,
CDS, and
CDNSKEY record types.
In
pending-disabled and
disabled states, Cloudflare still signs the zone and serves
RRSIG,
NSEC, and
DNSKEY record types, but the
CDS and
CDNSKEY records are set to zero (
RFC 8078), signaling to the registrar that DNSSEC should be disabled.
Refer to How DNSSEC works to learn more about the authentication process and records involved.