Enable DNSSEC

This function enables DNSSEC on the domain.

Note:

After you enable DNSSEC on the domain, you must add the DNS records to your registrar.
You cannot modify the DNSSEC security key. To make any changes, you must disable (and delete) and re-create the DNSSEC security key.

Important:

When you disable the DNS role, the system disables this function.

SecurityBasicAuth

Request

query Parameters

domain required	string <domain> The domain on which to enable DNSSEC. Note: To enable DNSSEC on multiple domains, increment the parameter name. For example: `domain-0`, `domain-1`, `domain-2`. Examples: To enable DNSSEC on multiple domains. domain=domain-0=example0.com&domain-1=example1.com&domain-2=example2.com To enable DNSSEC on a single domain. domain=example.com
active	integer Default: 1 Whether to activate the newly-created key. `1` — Activate the key. `0` — Do not activate the key. Enum: 0 1 Example: active=1
algo_num	integer [ 0 .. 255 ] Default: 8 The algorithm that the system uses to generate the security key. `5` — RSA/SHA-1 `6` — DSA-NSEC3-SHA1 `7` — RSASHA1-NSEC3-SHA1 `8` — RSA/SHA-256 `10` — RSA/SHA-512 `13` — ECDSA Curve P-256 with SHA-256 `14` — ECDSA Curve P-384 with SHA-384 Note: We recommend that you use `ECDSA Curve P-256 with SHA-256` if your registrar supports it. Example: algo_num=8
key_setup	string Default: "classic" The manner in which the system creates the security key. `simple` — Use a single key for both KSK and ZSK. Use this value when the `algo_nom` parameter is greater than `8`. `classic` — Use separate keys for KSK and ZSK. Use this value when the `algo_nom` parameter is equal to or less than `8`. Enum: "simple" "classic" Example: key_setup=classic
nsec3_iterations	integer [ 1 .. 500 ] Default: 7 The number of times that the system rehashes the first resource record hash operation. A positive integer less than `501`. Example: nsec3_iterations=7
nsec3_narrow	integer Default: 1 Whether NSEC3 will operate in Narrow or Inclusive mode. In Narrow mode, PowerDNS sends out white lies about the next secure record. Rather than query the resource record in the database, PowerDNS sends the hash plus `1` as the next secure record. `1` — Narrow mode. `0` — Inclusive mode. Enum: 0 1 Example: nsec3_narrow=1
nsec3_opt_out	integer Default: 0 Whether the system will create records for all delegations. `1` — Create records for all delegations. `0` — Create records only for secure delegations. Note: Only select `1` if you must create records for all delegations. Enum: 0 1 Example: nsec3_opt_out=0
nsec3_salt	string <hex> <= 255 characters A hexadecimal string that the system appends to the domain name before it applies the hash function to the name. For more information about the salt value, read the RFC 5155 documentation. If you do not declare a value, the system defaults to a random 64-bit value. Example: nsec3_salt=1A2B3C4D5E6F
use_nsec3	integer Default: 1 Whether the domain will use Next Secure Record (NSEC) or NSEC3 semantics. `1` — Use NSEC3 semantics. `0` — Use NSEC semantics. Note: If you use NSEC semantics (`0`), the system ignores the other NSEC3 options. Enum: 0 1 Example: use_nsec3=1

Responses

200

HTTP Request was successful.

Response Schema: application/json

apiversion	integer The version of the API.
func	string The name of the method called.
module	string The name of the module called.
	object

get/DNSSEC/enable_dnssec

Request samples

CLI
URL
LiveAPI Perl
LiveAPI PHP

uapi --output=jsonpretty \
  --user=username \
  DNSSEC \
  enable_dnssec \
  domain='example.com'

Response samples

application/json

{"apiversion": 3,
"func": "enable_dnssec",
"module": "DNSSEC",
"result": {"data": {"enabled": {"example.com": {"enabled": 1,
"new_key_id": "1",
"nsec_version": "NSEC3"
}
}
},
"errors": null,
"messages": null,
"metadata": { },
"status": 1,
"warnings": null
}
}