Multi-Signer DNSSEC

Hello,

I try to add DNSKEY records to my zone for Multi-Signer DNSSEC, but I receive the following error:

Adding DNSKEY records requires multi-provider DNSSEC to be enabled on the zone, see httpx://api.cloudflare.com/#dnssec. (Code: 9223)

Is it possible to have this enabled?

Thank you for letting me know!

Regards,
Oscar

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Hey @oscar we will be publishing these steps on our developer docs eventually, but if you want to configure Multi-Signer DNSSEC in the meantime, you can go ahead an follow these steps:

Step-by-Step instructions to configure Multi-Signer DNSSEC (RFC 8901)

  1. Enable Multi-Signer on your zone by choosing the model (1 or 2):

API request:

$ curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec' \
-H 'X-Auth-Email: <EMAIL>' \
-H 'X-Auth-Key: <KEY>' \
-H 'Content-Type: application/json' \
-d '{"dnssec_multi_model": 2}'
  1. Upload another provider’s ZSK by creating a DNSKEY record on your zone (either via UI or API):

API request:

$ curl -X POST 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_records' \
-H 'X-Auth-Email: <EMAIL>' \
-H 'X-Auth-Key: <KEY>' \
-H 'Content-Type: application/json' \
-d '{
  "type": "DNSKEY",
  "name": "<ZONE_NAME>",
  "data": {
    "flags": 256,
    "protocol": 3,
    "algorithm": 13,
    "public_key": "<PUBLIC_KEY>"
    },
  "ttl":3600
}'
  1. Enable DNSSEC for your zone on Cloudflare (via UI or API):

API request:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec" \
-H "X-Auth-Email: <EMAIL>" \
-H "X-Auth-Key: <KEY>" \
-H "Content-Type: application/json" \
--data '{"status": "active"}'
  1. Add another provider’s nameservers as NS records on your zone apex either via UI or API:

API request:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec" \
-H "X-Auth-Email: <EMAIL>" \
-H "X-Auth-Key: <KEY>" \
-H "Content-Type: application/json" \
-d '{
  "type":"NS",
  "name":"<ZONE_NAME>",
  "content": "<NS_DOMAIN",
  "ttl":86400
}'
  1. By default Cloudflare does not serve any NS records set on the zone apex. This needs to be enabled first:

API request (this endpoint will likely change in the future but can still be used to achieve this):

$ curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_settings/use_apex_ns' \
-H 'X-Auth-Email: <EMAIL>' \
-H 'X-Auth-Key: <KEY>' \
-H 'Content-Type: application/json' \
-d '{
  "id": "use_apex_ns",
  "value": true
}'
  1. Fetch Cloudflare’s ZSK via API (alternatively query it from one of the assigned Cloudflare nameservers):

API request:

$ curl -X GET 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec/zsk' \
-H 'X-Auth-Email: <EMAIL>'
-H 'X-Auth-Key: <KEY>'
-H 'Content-Type: application/json'

Command line query:

$ dig <ZONE_NAME> dnskey +noall +answer grep 256
  1. Add Cloudflare’s ZSK to the other provider(s).

  2. Add Cloudflare’s nameservers to the other provider(s).

  3. Add DS records at your registrar, one for each provider. Each provider usually provides their DS.

  4. Update the nameserver settings at the registrar to include the nameservers of all providers.

3 Likes

Developer Documentation has been updated: Multi-signer DNSSEC · Cloudflare DNS docs

1 Like