Manage DNSSEC Signing Keys

Prerequisite: To sign a zone, you need to first Create a DNS Zone.

Enable DNSSEC keys for a DNS zone

To enable DNSSEC keys for a DNS zone at IONOS Cloud DNS, follow these steps:

1. Perform a POST request to the /zones/{zoneId}/keys endpoint.

2. Replace {zoneId} with the UUID of the DNS zone where you want to enable DNSSEC keys.

3. In the request body, provide the key parameters used to sign the zone. These parameters include the signing algorithm, key length for both Key Signing Keys (KSK), Zone Signing Keys (ZSK), NSEC mode (NSEC or NSEC3), and other relevant settings.

Result: The DNSSEC keys for a DNS zone are successfully enabled.

Request

curl --location 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO' \
--data '{      
  "properties": {
    "keyParameters": {
      "algorithm": "RSASHA256",
      "kskBits": 4096,
      "zskBits": 2048
    },
    "nsecParameters": {
      "nsecMode": "NSEC3",
      "nsec3Iterations": 21,
      "nsec3SaltBits": 128
    },
    "validity": 14
  }
}'

Response

202 Accepted

HTTP/1.1 202 Accepted

Retrieve DNSSEC keys for a DNS zone

To retrieve DNSSEC keys for a specific DNS zone at Cloud DNS, follow these steps:

1. Perform a GET request to the /zones/{zoneId}/keys endpoint.

2. Replace {zoneId} with the UUID of the DNS zone you want to retrieve keys for.

Result: The API response contains a list of DNSSEC keys associated with the specified DNS zone.

Request

curl --location 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO'

Response

200 OK

HTTP/1.1 200 OK
Content-Type: application/json
 
{
  "id": "98277a78-a6a2-4672-ac9a-a68ca0a8d67a",
  "type": "dnsseckeys",
  "href": "<RESOURCE-URI>",
  "metadata": {
    "zoneId": "a363f30c-4c0c-4552-9a07-298d87f219bf",
    "items": [
      {
        "keyTag": 49057,
        "signAlgorithmMnemonic": "RSASHA256",
        "signAlgorithmNumber": 8,
        "digestAlgorithmMnemonic": "SHA-1",
        "digestAlgorithmNumber": 1,
        "digest": "CF58B511B2D8EF99263704A112703586E542E4FA",
        "keyData": {
          "flags": 257,
          "protocol": 3,
          "alg": 8,
          "pubKey": "AwEAAY6wMNhHk...RIrbLc="
        }
      }
      // ... other keys
    ]
  }
}

Response Fields

Field	Type	Description	Example
id	string	UUID of the DNSSEC key	98277a78-a6a2-4672-ac9a-a68ca0a8d67a
type	string	Type of the resource	dnsseckeys
href	string	URL of the resource
metadata	object	Metadata of the DNSSEC key
zoneId	string	UUID of the DNS zone	a363f30c-4c0c-4552-9a07-298d87f219bf
items	array	List of DNSSEC keys
keyTag	integer	Key tag of the DNSSEC key	49057
signAlgorithmMnemonic	string	Signing algorithm of the DNSSEC key	RSASHA256
signAlgorithmNumber	integer	Signing algorithm number of the DNSSEC key	8
digestAlgorithmMnemonic	string	Digest algorithm of the DNSSEC key	SHA-1
digestAlgorithmNumber	integer	Digest algorithm number of the DNSSEC key	1
digest	string	Digest of the DNSSEC key	CF58B511B2D8EF99263704A112703586E542E4FA
keyData	object	Key data of the DNSSEC key
flags	integer	Flags of the DNSSEC key	257
protocol	integer	Protocol of the DNSSEC key	3
alg	integer	Algorithm of the DNSSEC key	8
pubKey	string	Public key of the DNSSEC key	AwEAAY6wMNhHk...RIrbLc=

Field

Type

Description

Example

string

UUID of the DNSSEC key

98277a78-a6a2-4672-ac9a-a68ca0a8d67a

type

string

Type of the resource

dnsseckeys

href

string

URL of the resource

metadata

object

Metadata of the DNSSEC key

zoneId

string

UUID of the DNS zone

a363f30c-4c0c-4552-9a07-298d87f219bf

items

array

List of DNSSEC keys

keyTag

integer

Key tag of the DNSSEC key

49057

signAlgorithmMnemonic

string

Signing algorithm of the DNSSEC key

RSASHA256

signAlgorithmNumber

integer

Signing algorithm number of the DNSSEC key

digestAlgorithmMnemonic

string

Digest algorithm of the DNSSEC key

SHA-1

digestAlgorithmNumber

integer

Digest algorithm number of the DNSSEC key

digest

string

Digest of the DNSSEC key

CF58B511B2D8EF99263704A112703586E542E4FA

keyData

object

Key data of the DNSSEC key

flags

integer

Flags of the DNSSEC key

257

protocol

integer

Protocol of the DNSSEC key

alg

integer

Algorithm of the DNSSEC key

pubKey

string

Public key of the DNSSEC key

AwEAAY6wMNhHk...RIrbLc=

Disable DNSSEC Keys for a DNS zone

To disable and delete DNSSEC keys for a DNS zone at Cloud DNS, follow these steps:

1. Perform a DELETE request to the /zones/{zoneId}/keys endpoint.

2. Replace {zoneId} with the UUID of the DNS zone from which you want to remove DNSSEC keys.

Result: The DNSSEC keys for the selected DNS zone are successfully disabled. The associated DNSSEC key records for the DNS zone is removed.

Request

curl --location --request DELETE 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO'

Response

202 Accepted

HTTP/1.1 202 Accepted

PreviousCreate a Secondary DNS Zone NextTutorials

Last updated 4 months ago