Set up multi-signer DNSSEC
This page explains how you can enable multi-signer DNSSEC with Cloudflare, using the model 2 as described in RFC 8901 ↗.
Note that:
- This process requires that your other DNS provider(s) also support multi-signer DNSSEC.
- Although you can complete a few steps via the dashboard, currently the whole process can only be completed using the API.
- Enabling DNSSEC and Multi-signer DNSSEC in DNS > Settings ↗ only replaces the first step in 1. Set up Cloudflare zone. You still have to follow the rest of this tutorial to complete the setup.
If you use Cloudflare as a primary DNS provider, meaning that you manage your DNS records in Cloudflare, do the following:
- Log in to the Cloudflare dashboard ↗ and select your account and zone.
- Go to DNS > Settings.
- Select Enable DNSSEC and Confirm.
- Also enable Multi-signer DNSSEC and Multi-provider DNS.
- Go to DNS > Records and create the following records at your zone apex (meaning you should use
@
in the record Name field):- A DNSKEY record with the zone signing key(s) (ZSKs) of your external provider(s).
- A NS record with your external provider nameservers.
- Use the Edit DNSSEC Status endpoint to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set
status
toactive
anddnssec_multi_signer
totrue
, as in the following example.
curl --request PATCH \"https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "status": "active", "dnssec_multi_signer": true}'
- Add the ZSK(s) of your external provider(s) to Cloudflare by creating a DNSKEY record on your zone.
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "type": "DNSKEY", "name": "<ZONE_NAME>", "data": { "flags": 256, "protocol": 3, "algorithm": 13, "public_key": "<PUBLIC_KEY>" }, "ttl": 3600}'
- Add your external provider(s) nameservers as NS records on your zone apex.
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "type": "NS", "name": "<ZONE_NAME>", "content": "<NS_DOMAIN>", "ttl": 86400}'
- Enable the usage of the nameservers you added in the previous step by using the API request below.
curl --request PATCH \"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "multi_provider": true}'
If you use Cloudflare as a secondary DNS provider, do the following:
- Log in to the Cloudflare dashboard ↗ and select your account and zone.
- Go to DNS > Settings.
- For DNSSEC with Secondary DNS select Live signing.
- Also enable Multi-signer DNSSEC.
- Add the zone signing key(s) (ZSKs) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare.
- Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare.
- Use the Edit DNSSEC Status endpoint to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set
status
toactive
anddnssec_multi_signer
totrue
, as in the following example.
$ curl --request PATCH 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec' \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "status": "active", "dnssec_multi_signer": true}'
-
Add the ZSK(s) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare.
-
Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare.
- Get Cloudflare's ZSK using either the API or a query from one of the assigned Cloudflare nameservers.
API example:
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec/zsk" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"
Command line query example:
$ dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer | grep 256
- Add Cloudflare's ZSK that you fetched in the previous step to the DNSKEY record set of your external provider(s).
- Add Cloudflare's nameservers to the NS record set at your external provider(s).
-
Add DS records to your registrar, one for each provider. You can see your Cloudflare DS record on the dashboard ↗ by going to DNS > Settings > DS Record.
-
Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup.