Multi-Signer DNSSEC

oscar · December 3, 2022, 7:09pm

Hello,

I try to add DNSKEY records to my zone for Multi-Signer DNSSEC, but I receive the following error:

Adding DNSKEY records requires multi-provider DNSSEC to be enabled on the zone, see httpx://api.cloudflare.com/#dnssec. (Code: 9223)

Is it possible to have this enabled?

Thank you for letting me know!

Regards,
Oscar

system · December 18, 2022, 7:10pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

hannes · February 22, 2023, 9:54am

Hey @oscar we will be publishing these steps on our developer docs eventually, but if you want to configure Multi-Signer DNSSEC in the meantime, you can go ahead an follow these steps:

Step-by-Step instructions to configure Multi-Signer DNSSEC (RFC 8901)

Enable Multi-Signer on your zone by choosing the model (1 or 2):

API request:

$ curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec' \
-H 'X-Auth-Email: <EMAIL>' \
-H 'X-Auth-Key: <KEY>' \
-H 'Content-Type: application/json' \
-d '{"dnssec_multi_model": 2}'

Upload another provider’s ZSK by creating a DNSKEY record on your zone (either via UI or API):

API request:

$ curl -X POST 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_records' \
-H 'X-Auth-Email: <EMAIL>' \
-H 'X-Auth-Key: <KEY>' \
-H 'Content-Type: application/json' \
-d '{
  "type": "DNSKEY",
  "name": "<ZONE_NAME>",
  "data": {
    "flags": 256,
    "protocol": 3,
    "algorithm": 13,
    "public_key": "<PUBLIC_KEY>"
    },
  "ttl":3600
}'

Enable DNSSEC for your zone on Cloudflare (via UI or API):

API request:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec" \
-H "X-Auth-Email: <EMAIL>" \
-H "X-Auth-Key: <KEY>" \
-H "Content-Type: application/json" \
--data '{"status": "active"}'

Add another provider’s nameservers as NS records on your zone apex either via UI or API:

API request:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec" \
-H "X-Auth-Email: <EMAIL>" \
-H "X-Auth-Key: <KEY>" \
-H "Content-Type: application/json" \
-d '{
  "type":"NS",
  "name":"<ZONE_NAME>",
  "content": "<NS_DOMAIN",
  "ttl":86400
}'

By default Cloudflare does not serve any NS records set on the zone apex. This needs to be enabled first:

API request (this endpoint will likely change in the future but can still be used to achieve this):

$ curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_settings/use_apex_ns' \
-H 'X-Auth-Email: <EMAIL>' \
-H 'X-Auth-Key: <KEY>' \
-H 'Content-Type: application/json' \
-d '{
  "id": "use_apex_ns",
  "value": true
}'

Fetch Cloudflare’s ZSK via API (alternatively query it from one of the assigned Cloudflare nameservers):

API request:

$ curl -X GET 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec/zsk' \
-H 'X-Auth-Email: <EMAIL>'
-H 'X-Auth-Key: <KEY>'
-H 'Content-Type: application/json'

Command line query:

$ dig <ZONE_NAME> dnskey +noall +answer grep 256

Add Cloudflare’s ZSK to the other provider(s).
Add Cloudflare’s nameservers to the other provider(s).
Add DS records at your registrar, one for each provider. Each provider usually provides their DS.
Update the nameserver settings at the registrar to include the nameservers of all providers.

hannes · July 12, 2023, 10:34am

Developer Documentation has been updated: Multi-signer DNSSEC · Cloudflare DNS docs