Setup
This page explains how you can enable multi-signer DNSSEC with Cloudflare, using the model 2 as described in RFC 8901 ↗.
Note that:
- This process requires that your other DNS provider(s) also support multi-signer DNSSEC.
- Although you can complete a few steps via the dashboard, currently the whole process can only be completed using the API.
- Enabling DNSSEC and Multi-signer DNSSEC in DNS > Settings ↗ only replaces the first step in 1. Set up Cloudflare zone. You still have to follow the rest of this tutorial to complete the setup.
- Use the Edit DNSSEC Status endpoint to enable DNSSEC and activate multi-signer DNSSEC for your zone. This is done by setting
status
toactive
anddnssec_multi_signer
totrue
, as in the following example.
- Add the ZSK(s) of your external provider(s) to Cloudflare by creating a DNSKEY record on your zone.
- Add your external provider(s) nameservers as NS records on your zone apex.
- Enable the usage of the nameservers you added in the previous step by using the API request below. Alternatively, go to DNS > Settings ↗ and enable Multi-provider DNS.
- Get Cloudflare's ZSK using either the API or a query from one of the assigned Cloudflare nameservers.
API example:
Command line query example:
- Add Cloudflare's ZSK that you fetched in the previous step to the DNSKEY record set of your external provider(s).
- Add Cloudflare's nameservers to the NS record set at your external provider(s).
-
Add DS records to your registrar, one for each provider. You can see your Cloudflare DS record on the dashboard ↗ by going to DNS > Settings > DS Record.
-
Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup.