User GuidesDeveloper ReferenceSupport FAQsLog in

Manage DNSSEC Signing Keys

Prerequisite: To sign a zone, you need to first Create a DNS Zone.

Enable DNSSEC keys for a DNS zone

To enable DNSSEC keys for a DNS zone at IONOS Cloud DNS, follow these steps:

1. Perform a POST request to the /zones/{zoneId}/keys endpoint.

2. Replace {zoneId} with the UUID of the DNS zone where you want to enable DNSSEC keys.

3. In the request body, provide the key parameters used to sign the zone. These parameters include the signing algorithm, key length for both Key Signing Keys (KSK), Zone Signing Keys (ZSK), NSEC mode (NSEC or NSEC3), and other relevant settings.

Result: The DNSSEC keys for a DNS zone are successfully enabled.

Request

curl --location 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO' \
--data '{      
  "properties": {
    "keyParameters": {
      "algorithm": "RSASHA256",
      "kskBits": 4096,
      "zskBits": 2048
    },
    "nsecParameters": {
      "nsecMode": "NSEC3",
      "nsec3Iterations": 21,
      "nsec3SaltBits": 128
    },
    "validity": 14
  }
}'

Response

202 Accepted

HTTP/1.1 202 Accepted

Retrieve DNSSEC keys for a DNS zone

To retrieve DNSSEC keys for a specific DNS zone at Cloud DNS, follow these steps:

1. Perform a GET request to the /zones/{zoneId}/keys endpoint.

2. Replace {zoneId} with the UUID of the DNS zone you want to retrieve keys for.

Result: The API response contains a list of DNSSEC keys associated with the specified DNS zone.

Request

curl --location 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO'

Response

200 OK

HTTP/1.1 200 OK
Content-Type: application/json
 
{
  "id": "98277a78-a6a2-4672-ac9a-a68ca0a8d67a",
  "type": "dnsseckeys",
  "href": "<RESOURCE-URI>",
  "metadata": {
    "zoneId": "a363f30c-4c0c-4552-9a07-298d87f219bf",
    "items": [
      {
        "keyTag": 49057,
        "signAlgorithmMnemonic": "RSASHA256",
        "signAlgorithmNumber": 8,
        "digestAlgorithmMnemonic": "SHA-1",
        "digestAlgorithmNumber": 1,
        "digest": "CF58B511B2D8EF99263704A112703586E542E4FA",
        "keyData": {
          "flags": 257,
          "protocol": 3,
          "alg": 8,
          "pubKey": "AwEAAY6wMNhHk...RIrbLc="
        }
      }
      // ... other keys
    ]
  }
}

Disable DNSSEC Keys for a DNS zone

To disable and delete DNSSEC keys for a DNS zone at Cloud DNS, follow these steps:

1. Perform a DELETE request to the /zones/{zoneId}/keys endpoint.

2. Replace {zoneId} with the UUID of the DNS zone from which you want to remove DNSSEC keys.

Result: The DNSSEC keys for the selected DNS zone are successfully disabled. The associated DNSSEC key records for the DNS zone is removed.

Request

curl --location --request DELETE 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO'

Response

202 Accepted

HTTP/1.1 202 Accepted
PreviousCreate a Secondary DNS ZoneNextTutorials

Last updated

Revision created

Minor update from the comments