Enable DNSSEC

This function enables DNSSEC on the domain.

Note:

  • After you enable DNSSEC on the domain, you must add the DNS records to your registrar.
  • You cannot modify the DNSSEC security key. To make any changes, you must disable (and delete) and re-create the DNSSEC security key.

Important:

When you disable the DNS role, the system disables this function.

Authorizations:
query Parameters
domain
required
string <domain>

The domain on which to enable DNSSEC.

Note:

To enable DNSSEC on multiple domains, increment the parameter name. For example: domain-0, domain-1, domain-2.

Examples:
domain=domain-0=example0.com&domain-1=example1.com&domain-2=example2.com
domain=example.com
active
integer
Default: 1

Whether to activate the newly-created key.

  • 1 — Activate the key.
  • 0 — Do not activate the key.
Enum: 0 1
Example: active=1
algo_num
integer [ 0 .. 255 ]
Default: 8

The algorithm that the system uses to generate the security key.

  • 5 — RSA/SHA-1
  • 6 — DSA-NSEC3-SHA1
  • 7 — RSASHA1-NSEC3-SHA1
  • 8 — RSA/SHA-256
  • 10 — RSA/SHA-512
  • 13 — ECDSA Curve P-256 with SHA-256
  • 14 — ECDSA Curve P-384 with SHA-384

Note:

We recommend that you use ECDSA Curve P-256 with SHA-256 if your registrar supports it.

Example: algo_num=8
key_setup
string
Default: "classic"

The manner in which the system creates the security key.

  • simple — Use a single key for both KSK and ZSK. Use this value when the algo_nom parameter is greater than 8.
  • classic — Use separate keys for KSK and ZSK. Use this value when the algo_nom parameter is equal to or less than 8.
Enum: "simple" "classic"
Example: key_setup=classic
nsec3_iterations
integer [ 1 .. 500 ]
Default: 7

The number of times that the system rehashes the first resource record hash operation.

A positive integer less than 501.

Example: nsec3_iterations=7
nsec3_narrow
integer
Default: 1

Whether NSEC3 will operate in Narrow or Inclusive mode.

In Narrow mode, PowerDNS sends out white lies about the next secure record. Rather than query the resource record in the database, PowerDNS sends the hash plus 1 as the next secure record.

  • 1 — Narrow mode.
  • 0 — Inclusive mode.
Enum: 0 1
Example: nsec3_narrow=1
nsec3_opt_out
integer
Default: 0

Whether the system will create records for all delegations.

  • 1 — Create records for all delegations.
  • 0 — Create records only for secure delegations.

Note:

Only select 1 if you must create records for all delegations.

Enum: 0 1
Example: nsec3_opt_out=0
nsec3_salt
string <hex> <= 255 characters

A hexadecimal string that the system appends to the domain name before it applies the hash function to the name. For more information about the salt value, read the RFC 5155 documentation.

If you do not declare a value, the system defaults to a random 64-bit value.

Example: nsec3_salt=1A2B3C4D5E6F
use_nsec3
integer
Default: 1

Whether the domain will use Next Secure Record (NSEC) or NSEC3 semantics.

  • 1 — Use NSEC3 semantics.
  • 0 — Use NSEC semantics.

Note:

If you use NSEC semantics (0), the system ignores the other NSEC3 options.

Enum: 0 1
Example: use_nsec3=1

Responses

Response Schema: application/json
apiversion
integer

The version of the API.

func
string

The name of the method called.

module
string

The name of the module called.

object

Request samples

uapi --output=jsonpretty \
  --user=username \
  DNSSEC \
  enable_dnssec \
  domain='example.com'

Response samples

Content type
application/json
{
  • "apiversion": 3,
  • "func": "enable_dnssec",
  • "module": "DNSSEC",
  • "result": {
    • "data": {
      • "enabled": {
        • "example.com": {
          • "enabled": 1,
          • "new_key_id": "1",
          • "nsec_version": "NSEC3"
          }
        }
      },
    • "errors": null,
    • "messages": null,
    • "metadata": { },
    • "status": 1,
    • "warnings": null
    }
}