Set up multi-signer DNSSEC
This page explains how you can enable multi-signer DNSSEC with Cloudflare, using the model 2 as described in RFC 8901 ↗.
Note that:
- This process requires that your other DNS provider(s) also support multi-signer DNSSEC.
- Although you can complete a few steps via the dashboard, currently the whole process can only be completed using the API.
- Enabling DNSSEC and Multi-signer DNSSEC in DNS > Settings ↗ only replaces the first step in 1. Set up Cloudflare zone. You still have to follow the rest of this tutorial to complete the setup.
If you use Cloudflare as a primary DNS provider, meaning that you manage your DNS records in Cloudflare, do the following:
- Log in to the Cloudflare dashboard ↗ and select your account and zone.
- Go to DNS > Settings.
- Select Enable DNSSEC and Confirm.
- Also enable Multi-signer DNSSEC and Multi-provider DNS.
- Go to DNS > Records and create the following records at your zone apex (meaning you should use
@
in the record Name field):- A DNSKEY record with the zone signing key(s) (ZSKs) of your external provider(s).
- An NS record with your external provider nameservers.
- Use the Edit DNSSEC Status endpoint to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set
status
toactive
anddnssec_multi_signer
totrue
, as in the following example.
Required API token permissions
At least one of the following token permissions
is required:
DNS Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec" \ --request PATCH \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '{ "status": "active", "dnssec_multi_signer": true }'
- Add the ZSK(s) of your external provider(s) to Cloudflare by creating a DNSKEY record on your zone.
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "type": "DNSKEY", "name": "<ZONE_NAME>", "data": { "flags": 256, "protocol": 3, "algorithm": 13, "public_key": "<PUBLIC_KEY>" }, "ttl": 3600}'
- Add your external provider(s) nameservers as NS records on your zone apex.
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "type": "NS", "name": "<ZONE_NAME>", "content": "<NS_DOMAIN>", "ttl": 86400}'
- Enable the usage of the nameservers you added in the previous step by using the API request below.
Required API token permissions
At least one of the following token permissions
is required:
Zone DNS Settings Write
DNS Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_settings" \ --request PATCH \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '{ "multi_provider": true }'
If you use Cloudflare as a secondary DNS provider, do the following:
- Log in to the Cloudflare dashboard ↗ and select your account and zone.
- Go to DNS > Settings.
- For DNSSEC with Secondary DNS select Live signing.
- Also enable Multi-signer DNSSEC.
- Add the zone signing key(s) (ZSKs) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare.
- Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare.
- Use the Edit DNSSEC Status endpoint to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set
status
toactive
anddnssec_multi_signer
totrue
, as in the following example.
Required API token permissions
At least one of the following token permissions
is required:
DNS Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec" \ --request PATCH \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '{ "status": "active", "dnssec_multi_signer": true }'
-
Add the ZSK(s) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare.
-
Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare.
- Get Cloudflare's ZSK using either the API or a query from one of the assigned Cloudflare nameservers.
API example:
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec/zsk" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"
Command line query example:
$ dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer | grep 256
- Add Cloudflare's ZSK that you fetched in the previous step to the DNSKEY record set of your external provider(s).
- Add Cloudflare's nameservers to the NS record set at your external provider(s).
-
Add DS records to your registrar, one for each provider. You can see your Cloudflare DS record on the dashboard ↗ by going to DNS > Settings > DS Record.
-
Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark