Manage DNSSEC Signing Keys

Prerequisite: To sign a zone, you need to first Create a DNS Zone.

Enable DNSSEC keys for a DNS zone

To enable DNSSEC keys for a DNS zone at IONOS Cloud DNS, follow these steps:

1. Perform a POST request to the /zones/{zoneId}/keys endpoint.

2. Replace {zoneId} with the UUID of the DNS zone where you want to enable DNSSEC keys.

3. In the request body, provide the key parameters used to sign the zone. These parameters include the signing algorithm, key length for both Key Signing Keys (KSK), Zone Signing Keys (ZSK), NSEC mode (NSEC or NSEC3), and other relevant settings.

Result: The DNSSEC keys for a DNS zone are successfully enabled.

Request

curl --location 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO' \
--data '{      
  "properties": {
    "keyParameters": {
      "algorithm": "RSASHA256",
      "kskBits": 4096,
      "zskBits": 2048
    },
    "nsecParameters": {
      "nsecMode": "NSEC3",
      "nsec3Iterations": 21,
      "nsec3SaltBits": 128
    },
    "validity": 14
  }
}'

Response

202 Accepted

HTTP/1.1 202 Accepted

Retrieve DNSSEC keys for a DNS zone

To retrieve DNSSEC keys for a specific DNS zone at Cloud DNS, follow these steps:

1. Perform a GET request to the /zones/{zoneId}/keys endpoint.

2. Replace {zoneId} with the UUID of the DNS zone you want to retrieve keys for.

Result: The API response contains a list of DNSSEC keys associated with the specified DNS zone.

Request

curl --location 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO'

Response

200 OK

HTTP/1.1 200 OK
Content-Type: application/json
 
{
  "id": "98277a78-a6a2-4672-ac9a-a68ca0a8d67a",
  "type": "dnsseckeys",
  "href": "<RESOURCE-URI>",
  "metadata": {
    "zoneId": "a363f30c-4c0c-4552-9a07-298d87f219bf",
    "items": [
      {
        "keyTag": 49057,
        "signAlgorithmMnemonic": "RSASHA256",
        "signAlgorithmNumber": 8,
        "digestAlgorithmMnemonic": "SHA-1",
        "digestAlgorithmNumber": 1,
        "digest": "CF58B511B2D8EF99263704A112703586E542E4FA",
        "keyData": {
          "flags": 257,
          "protocol": 3,
          "alg": 8,
          "pubKey": "AwEAAY6wMNhHk...RIrbLc="
        }
      }
      // ... other keys
    ]
  }
}

Response Fields

FieldTypeDescriptionExample

id

string

UUID of the DNSSEC key

98277a78-a6a2-4672-ac9a-a68ca0a8d67a

type

string

Type of the resource

dnsseckeys

href

string

URL of the resource

metadata

object

Metadata of the DNSSEC key

zoneId

string

UUID of the DNS zone

a363f30c-4c0c-4552-9a07-298d87f219bf

items

array

List of DNSSEC keys

keyTag

integer

Key tag of the DNSSEC key

49057

signAlgorithmMnemonic

string

Signing algorithm of the DNSSEC key

RSASHA256

signAlgorithmNumber

integer

Signing algorithm number of the DNSSEC key

8

digestAlgorithmMnemonic

string

Digest algorithm of the DNSSEC key

SHA-1

digestAlgorithmNumber

integer

Digest algorithm number of the DNSSEC key

1

digest

string

Digest of the DNSSEC key

CF58B511B2D8EF99263704A112703586E542E4FA

keyData

object

Key data of the DNSSEC key

flags

integer

Flags of the DNSSEC key

257

protocol

integer

Protocol of the DNSSEC key

3

alg

integer

Algorithm of the DNSSEC key

8

pubKey

string

Public key of the DNSSEC key

AwEAAY6wMNhHk...RIrbLc=

Disable DNSSEC Keys for a DNS zone

To disable and delete DNSSEC keys for a DNS zone at Cloud DNS, follow these steps:

1. Perform a DELETE request to the /zones/{zoneId}/keys endpoint.

2. Replace {zoneId} with the UUID of the DNS zone from which you want to remove DNSSEC keys.

Result: The DNSSEC keys for the selected DNS zone are successfully disabled. The associated DNSSEC key records for the DNS zone is removed.

Request

curl --location --request DELETE 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO'

Response

202 Accepted

HTTP/1.1 202 Accepted

Last updated