oscar
December 3, 2022, 7:09pm
1
Hello,
I try to add DNSKEY records to my zone for Multi-Signer DNSSEC, but I receive the following error:
Adding DNSKEY records requires multi-provider DNSSEC to be enabled on the zone, see httpx://api.cloudflare.com/#dnssec . (Code: 9223)
Is it possible to have this enabled?
Thank you for letting me know!
Regards,
Oscar
system
Closed
December 18, 2022, 7:10pm
2
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.
hannes
February 22, 2023, 9:54am
3
Hey @oscar we will be publishing these steps on our developer docs eventually, but if you want to configure Multi-Signer DNSSEC in the meantime, you can go ahead an follow these steps:
Step-by-Step instructions to configure Multi-Signer DNSSEC (RFC 8901 )
Enable Multi-Signer on your zone by choosing the model (1 or 2):
API request:
$ curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec' \
-H 'X-Auth-Email: <EMAIL>' \
-H 'X-Auth-Key: <KEY>' \
-H 'Content-Type: application/json' \
-d '{"dnssec_multi_model": 2}'
Upload another provider’s ZSK by creating a DNSKEY record on your zone (either via UI or API ):
API request:
$ curl -X POST 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_records' \
-H 'X-Auth-Email: <EMAIL>' \
-H 'X-Auth-Key: <KEY>' \
-H 'Content-Type: application/json' \
-d '{
"type": "DNSKEY",
"name": "<ZONE_NAME>",
"data": {
"flags": 256,
"protocol": 3,
"algorithm": 13,
"public_key": "<PUBLIC_KEY>"
},
"ttl":3600
}'
Enable DNSSEC for your zone on Cloudflare (via UI or API ):
API request:
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec" \
-H "X-Auth-Email: <EMAIL>" \
-H "X-Auth-Key: <KEY>" \
-H "Content-Type: application/json" \
--data '{"status": "active"}'
Add another provider’s nameservers as NS records on your zone apex either via UI or API :
API request:
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec" \
-H "X-Auth-Email: <EMAIL>" \
-H "X-Auth-Key: <KEY>" \
-H "Content-Type: application/json" \
-d '{
"type":"NS",
"name":"<ZONE_NAME>",
"content": "<NS_DOMAIN",
"ttl":86400
}'
By default Cloudflare does not serve any NS records set on the zone apex. This needs to be enabled first:
API request (this endpoint will likely change in the future but can still be used to achieve this ):
$ curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_settings/use_apex_ns' \
-H 'X-Auth-Email: <EMAIL>' \
-H 'X-Auth-Key: <KEY>' \
-H 'Content-Type: application/json' \
-d '{
"id": "use_apex_ns",
"value": true
}'
Fetch Cloudflare’s ZSK via API (alternatively query it from one of the assigned Cloudflare nameservers):
API request:
$ curl -X GET 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dnssec/zsk' \
-H 'X-Auth-Email: <EMAIL>'
-H 'X-Auth-Key: <KEY>'
-H 'Content-Type: application/json'
Command line query:
$ dig <ZONE_NAME> dnskey +noall +answer grep 256
Add Cloudflare’s ZSK to the other provider(s).
Add Cloudflare’s nameservers to the other provider(s).
Add DS records at your registrar, one for each provider. Each provider usually provides their DS.
Update the nameserver settings at the registrar to include the nameservers of all providers.
3 Likes
hannes
July 12, 2023, 10:34am
4
Developer Documentation has been updated: Multi-signer DNSSEC · Cloudflare DNS docs
1 Like