# Manage DNSSEC Signing Keys
{% hint style="info" %}
**Prerequisite:** To sign a zone, you need to first [Create a DNS Zone](https://docs.ionos.com/cloud/~/revisions/bM7yG7XCmGE9IxWqMpBu/managed-services/cloud-dns/api-how-tos/create-dns-zone).
{% endhint %}
## Enable DNSSEC keys for a DNS zone
To enable DNSSEC keys for a DNS zone at IONOS Cloud DNS, follow these steps:
1\. Perform a POST request to the `/zones/{zoneId}/keys` endpoint.
2\. Replace {zoneId} with the UUID of the DNS zone where you want to enable DNSSEC keys.
3\. In the request body, provide the key parameters used to sign the zone. These parameters include the signing algorithm, key length for both Key Signing Keys (KSK), Zone Signing Keys (ZSK), NSEC mode (NSEC or NSEC3), and other relevant settings.
{% hint style="success" %}
**Result:** The DNSSEC keys for a DNS zone are successfully enabled.
{% endhint %}
### Request
```bash
curl --location 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO' \
--data '{
"properties": {
"keyParameters": {
"algorithm": "RSASHA256",
"kskBits": 4096,
"zskBits": 2048
},
"nsecParameters": {
"nsecMode": "NSEC3",
"nsec3Iterations": 21,
"nsec3SaltBits": 128
},
"validity": 14
}
}'
```
### Response
**202 Accepted**
```bash
HTTP/1.1 202 Accepted
```
## Retrieve DNSSEC keys for a DNS zone
To retrieve DNSSEC keys for a specific DNS zone at Cloud DNS, follow these steps:
1\. Perform a GET request to the `/zones/{zoneId}/keys` endpoint.
2\. Replace {zoneId} with the UUID of the DNS zone you want to retrieve keys for.
{% hint style="success" %}
**Result:** The API response contains a list of DNSSEC keys associated with the specified DNS zone.
{% endhint %}
### Request
```bash
curl --location 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO'
```
### Response
**200 OK**
```bash
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "98277a78-a6a2-4672-ac9a-a68ca0a8d67a",
"type": "dnsseckeys",
"href": "",
"metadata": {
"zoneId": "a363f30c-4c0c-4552-9a07-298d87f219bf",
"items": [
{
"keyTag": 49057,
"signAlgorithmMnemonic": "RSASHA256",
"signAlgorithmNumber": 8,
"digestAlgorithmMnemonic": "SHA-1",
"digestAlgorithmNumber": 1,
"digest": "CF58B511B2D8EF99263704A112703586E542E4FA",
"keyData": {
"flags": 257,
"protocol": 3,
"alg": 8,
"pubKey": "AwEAAY6wMNhHk...RIrbLc="
}
}
// ... other keys
]
}
}
```
### Response Fields
| Field | Type | Description | Example |
| --------------------------- | ------- | ------------------------------------------ | ---------------------------------------- |
| **id** | string | UUID of the DNSSEC key | 98277a78-a6a2-4672-ac9a-a68ca0a8d67a |
| **type** | string | Type of the resource | dnsseckeys |
| **href** | string | URL of the resource | |
| **metadata** | object | Metadata of the DNSSEC key | |
| **zoneId** | string | UUID of the DNS zone | a363f30c-4c0c-4552-9a07-298d87f219bf |
| **items** | array | List of DNSSEC keys | |
| **keyTag** | integer | Key tag of the DNSSEC key | 49057 |
| **signAlgorithmMnemonic** | string | Signing algorithm of the DNSSEC key | RSASHA256 |
| **signAlgorithmNumber** | integer | Signing algorithm number of the DNSSEC key | 8 |
| **digestAlgorithmMnemonic** | string | Digest algorithm of the DNSSEC key | SHA-1 |
| **digestAlgorithmNumber** | integer | Digest algorithm number of the DNSSEC key | 1 |
| **digest** | string | Digest of the DNSSEC key | CF58B511B2D8EF99263704A112703586E542E4FA |
| **keyData** | object | Key data of the DNSSEC key | |
| **flags** | integer | Flags of the DNSSEC key | 257 |
| **protocol** | integer | Protocol of the DNSSEC key | 3 |
| **alg** | integer | Algorithm of the DNSSEC key | 8 |
| **pubKey** | string | Public key of the DNSSEC key | AwEAAY6wMNhHk...RIrbLc= |
### Disable DNSSEC Keys for a DNS zone
To disable and delete DNSSEC keys for a DNS zone at Cloud DNS, follow these steps:
1\. Perform a DELETE request to the `/zones/{zoneId}/keys` endpoint.
2\. Replace {zoneId} with the UUID of the DNS zone from which you want to remove DNSSEC keys.
{% hint style="success" %}
**Result:** The DNSSEC keys for the selected DNS zone are successfully disabled. The associated DNSSEC key records for the DNS zone is removed.
{% endhint %}
### Request
```bash
curl --location --request DELETE 'https://dns.de-fra.ionos.com/zones/7ae956dc-1903-4a33-a797-fdb5a040974d/keys' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiO'
```
### Response
**202 Accepted**
```bash
HTTP/1.1 202 Accepted
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ionos.com/cloud/~/revisions/bM7yG7XCmGE9IxWqMpBu/managed-services/cloud-dns/api-how-tos/manage-dnssec-signing-keys.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.