How to activate DNSSEC

Domain Name System Security Extensions (DNSSEC) provide an extra layer of security to verify the authenticity and integrity of an IP address response. Azion provides DNSSEC compatibility as long as your top-level domain (TLD) registry supports it and your zone is configured with DNSSEC-related resource records on Edge DNS.

Activate DNSSEC via API

DNSSEC activation is available via Azion API:

1. Run the following GET request in your terminal, replacing [TOKEN VALUE] with your personal token to retrieve your <zoneId>:

curl --request GET \
  --url https://api.azion.com/v4/dns/zones \
  --header 'Accept: application/json' \
  --header 'Authorization: [TOKEN VALUE]'

2. You’ll receive a response similar to this:

{
  "count": 1,
  "links": {
    "previous": null,
    "next": null
  },
  "total_pages": 1,
  "results": [
    {
      "domain": "youdomain.com",
      "is_active": true,
      "name": "A hosted zone",
      "id": 1234
    }
  ],
  "schema_version": 3
}

3. Copy the <id> value of the specific zone in which you want to activate DNSSEC. In this example, it’s 1234.
4. Run the following PATCH request in your terminal, replacing [TOKEN VALUE] with your personal token:

curl --request PATCH \
  --url https://api.azion.com/v4/dns/zones/<zoneId>/dnssec \
  --header 'Accept: application/json' \
  --header 'Authorization: [TOKEN VALUE]' \
  --header 'Content-Type: application/json' \
  --data '{
  "enabled": true
}'

5. You’ll receive a response similar to this:

{
  "results": {
    "is_enabled": true,
    "status": "waiting"
  },
  "schema_version": 3
}

6. Run the following GET request to retrieve the digest and key_tag replacing [TOKEN VALUE] with your personal token and <zoneId>, you’ll need these to configure DNSSEC in your domain Registrar.

curl --request GET \
  --url https://api.azion.com/v4/dns/zones/<zoneId>/dnssec \
  --header 'Accept: application/json' \
  --header 'Authorization: [TOKEN VALUE]'