| pcx_content_type | title | weight | meta | ||
|---|---|---|---|---|---|
how-to |
Setup |
5 |
|
This page explains how you can enable multi-signer DNSSEC with Cloudflare, using the model 2 as described in RFC 8901.
Note that:
- This process requires that your other DNS provider(s) also support multi-signer DNSSEC.
- Although you can complete a few steps via the dashboard, currently the whole process can only be completed using the API.
- Enabling DNSSEC and Multi-signer DNSSEC in DNS > Settings only replaces the first step in 1. Set up Cloudflare zone. You still have to follow the rest of this tutorial to complete the setup.
{{
}} The following steps also apply if you use Cloudflare as a secondary DNS provider, with the difference that, in such case, the records in steps 2 and 3 should be transferred from the primary, and step 4 is not necessary. {{}}- Use the Edit DNSSEC Status endpoint to enable DNSSEC and activate multi-signer DNSSEC for your zone. This is done by setting
statustoactiveanddnssec_multi_signertotrue, as in the following example.
$ curl --request PATCH 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <KEY>' \
--header 'Content-Type: application/json' \
--data '{
"status": "active",
"dnssec_multi_signer": true
}'- Add the ZSK(s) of your external provider(s) to Cloudflare by creating a DNSKEY record on your zone.
$ curl --request POST 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <KEY>' \
--header 'Content-Type: application/json' \
--data '{
"type": "DNSKEY",
"name": "<ZONE_NAME>",
"data": {
"flags": 256,
"protocol": 3,
"algorithm": 13,
"public_key": "<PUBLIC_KEY>"
},
"ttl": 3600
}'- Add your external provider(s) nameservers as NS records on your zone apex.
curl --request POST 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records' \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <KEY>" \
--header "Content-Type: application/json" \
--data '{
"type": "NS",
"name": "<ZONE_NAME>",
"content": "<NS_DOMAIN>",
"ttl": 86400
}'- Enable the usage of the nameservers you added in the previous step by using an API request, as in the following example.
{{
}} This step is required if you are using Cloudflare as a primary DNS provider - without enabling this setting, Cloudflare will ignore anyNS records created on the zone apex. This means that responses to DNS queries made to the zone apex and requesting NS records will only contain Cloudflare nameservers.
If you are using Cloudflare as a secondary DNS provider, this step is not necessary.
{{
}}$ curl --request PATCH 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings/use_apex_ns' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <KEY>' \
--header 'Content-Type: application/json' \
--data '{
"id": "use_apex_ns",
"value": true
}'- Get Cloudflare's ZSK using either the API or a query from one of the assigned Cloudflare nameservers.
API example:
$ curl 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec/zsk' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <KEY>'Command line query example:
$ dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer | grep 256- Add Cloudflare's ZSK that you fetched in the previous step to the DNSKEY record set of your external provider(s).
- Add Cloudflare's nameservers to the NS record set at your external provider(s).
-
Add DS records to your registrar, one for each provider. You can see your Cloudflare DS record on the dashboard by going to DNS > Settings > DS Record.
-
Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup.