Enable DNSSEC on domain

This function enables DNSSEC on the domain.

Note:

  • Only servers that run PowerDNS can use DNSSEC. If you call this function on a server that doesn't use PowerDNS, you will receive an error.
  • After you enable DNSSEC on the domain, you must add the Delegation of Signing (DS) records on your DNS server and with your registrar.
  • You cannot modify the DNSSEC security key. To make any changes, you must disable, delete, and re-create the DNSSEC security key.
Authorizations:
query Parameters
domain
required
string <domain>

The domain for which to enable DNSSEC.

Note:

To enable DNSSEC on multiple domains, duplicate or increment the parameter name. For example, to check three domains, you could:

  • Use the domain parameter multiple times.
  • Use the domain, domain-1, and domain-2 parameters.
Examples:
domain=domain=example.com&domain-1=example1.com&domain-2=example2.com
domain=domain=example.com&domain=example1.com&domain=example2.com
domain=example.com
active
integer
Default: 1

Whether to activate the newly-created key.

  • 1 - Activate the key.
  • 0 - Do not activate the key.
Enum: 0 1
Example: active=1
algo_num
integer
Default: 8

The algorithm that the system uses to generate the security key.

  • 5 - RSA/SHA-1
  • 6 - DSA-NSEC3-SHA1
  • 7 - RSASHA1-NSEC3-SHA1
  • 8 - RSA/SHA-256
  • 10 - RSA/SHA-512
  • 13 - ECDSA Curve P-256 with SHA-256
  • 14 - ECDSA Curve P-384 with SHA-384

Note:

We recommend that you use an ECDSA Curve P-256 with SHA-256 (13) value if your registrar supports it.

Enum: 5 6 7 8 10 13 14
Example: algo_num=8
key_setup
string
Default: "classic"

The manner in which the system creates the security key.

  • classic - Use separate keys for KSK and ZSK. Use this value when the algo_num parameter is equal to or less than 8.
  • simple - Use a single key for both KSK and ZSK. Use this value when the algo_num parameter is greater than 8.
Enum: "classic" "simple"
Example: key_setup=classic
nsec3_iterations
integer [ 1 .. 500 ]
Default: 7

The number of times that the system rehashes the first resource record hash operation.

Example: nsec3_iterations=7
nsec3_narrow
integer
Default: 1

Whether NSEC3 operates in Narrow or Inclusive mode.

Note:

For information about these modes, read PowerDNS's DNSSEC documentation.

  • 1 - Narrow mode.
  • 0 - Inclusive mode.
Enum: 0 1
Example: nsec3_narrow=1
nsec3_opt_out
integer
Default: 0

Whether the system will create records for all delegations.

  • 1 - Create records for all delegations.
  • 0 - Create records only for secure delegations.

Note:

Only use the 1 value if you must create records for all delegations.

Enum: 0 1
Example: nsec3_opt_out=1
nsec3_salt
string

A hexadecimal string that the system appends to the domain name before it applies the hash function to the name.

Note:

For information about salt values, read RFC 5155.

Example: nsec3_salt=1a2b3c4d5e6f
use_nsec3
integer
Default: 1

Whether the domain will use Next Secure Record (NSEC) or NSEC3 semantics.

  • 1 - Use NSEC3 semantics.
  • 0 - Use NSEC semantics.

Note:

If you use this value, the system ignores the other NSEC3 options.

Enum: 0 1
Example: use_nsec3=1

Responses

Response Schema: application/json
object
object

Request samples

whmapi1 --output=jsonpretty \
  enable_dnssec_for_domains \
  domain='example.com'

Response samples

Content type
application/json
{
  • "data": {
    • "domains": [
      • {
        • "domain": "example.com",
        • "enabled": 1,
        • "new_key_id": "2",
        • "nsec_error": "Error message.",
        • "nsec_version": "NSEC3"
        }
      ]
    },
  • "metadata": {
    • "command": "enable_dnssec_for_domains",
    • "reason": "OK",
    • "result": 1,
    • "version": 1
    }
}