How to activate DNSSEC

Domain Name System Security Extensions (DNSSEC) provide an extra layer of security to verify the authenticity and integrity of an IP address response. Azion provides DNSSEC compatibility as long as your top-level domain (TLD) registry supports it and your zone is configured with DNSSEC-related resource records on Edge DNS.


Prerequisites

Before activating DNSSEC, you need an Azion Personal Token to authenticate API calls.

To create a Personal Token:

  1. Access Azion Console.
  2. In the right sidebar menu, click Personal Tokens.
  3. Click the Add Personal Token button.
  4. Set the token name, expiration time, and optionally a description.
  5. Click Create Token.
  6. Copy and save the generated token value — you’ll need it in the next steps.

Activate DNSSEC via API

DNSSEC activation is available via Azion API:

  1. Run the following GET request in your terminal, replacing [TOKEN VALUE] with your personal token to retrieve your {zone_id}:
Terminal window
curl --request GET \
--url 'https://api.azion.com/v4/workspace/dns/zones?page_size=100' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer [TOKEN VALUE]'
  1. You’ll receive a response similar to this:
{
"count": 1,
"total_pages": 1,
"page": 1,
"page_size": 100,
"next": null,
"previous": null,
"results": [
{
"domain": "yourdomain.com",
"is_active": true,
"name": "A hosted zone",
"id": 1234
}
]
}
  1. Copy the id value of the specific zone in which you want to activate DNSSEC. In this example, it’s 1234.
  2. Run the following PATCH request to activate DNSSEC on the zone and trigger cryptographic key generation. Replace [TOKEN VALUE] with your personal token and {zone_id} with the ID collected in the previous step:
Terminal window
curl --request PATCH \
--url https://api.azion.com/v4/workspace/dns/zones/{zone_id}/dnssec \
--header 'Accept: application/json' \
--header 'Authorization: Bearer [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
"enabled": true
}'
  1. You’ll receive a response similar to this:
{
"data": {
"enabled": true,
"status": "unconfigured",
"delegation_signer": null
}
}
  1. Run the following GET request to retrieve the generated digest and key_tag values. Replace [TOKEN VALUE] with your personal token and {zone_id}. You’ll need these values to configure DNSSEC at your domain Registrar.
Terminal window
curl --request GET \
--url https://api.azion.com/v4/workspace/dns/zones/{zone_id}/dnssec \
--header 'Accept: application/json' \
--header 'Authorization: Bearer [TOKEN VALUE]'
  1. You’ll receive a response similar to this:
{
"data": {
"enabled": true,
"status": "unconfigured",
"delegation_signer": {
"algorithm_type": {
"id": 1,
"slug": "string"
},
"digest": "string",
"digest_type": {
"id": 1,
"slug": "string"
},
"key_tag": 1
}
}
}

Configure DNSSEC at your domain Registrar

After retrieving the digest and key_tag values via API, you must register them at your domain Registrar to establish the chain of trust.

The example below uses Registro.br as a reference, but the process is similar for other registrars.

  1. Access your domain Registrar and log in with your domain administration credentials.
  2. In the domain list, click the domain for which you want to activate DNSSEC.
  3. Expand the Change DNS Servers section.
  4. Click +DNSSEC and enter the key_tag and digest values obtained in the previous step.
  5. Click Save Changes to apply the settings.

Validate DNSSEC activation

After configuring DNSSEC at your registrar, validate the activation using the methods below.

Using the dig command

Run the following command, replacing <domain> with the activated domain:

Terminal window
dig <domain> +dnssec

In the response, verify the presence of the RRSIG entry. Its absence indicates that DNSSEC is not yet active or that propagation hasn’t completed.

To validate the resolution of a specific record within the zone:

Terminal window
dig <record>.<domain> +dnssec

The response should include both the record value and the corresponding RRSIG entry.

Using an online tool

Access https://dnssec-analyzer.verisignlabs.com/ and enter the activated domain. All validations must return successfully to confirm that the chain of trust is correctly established.


Rollback

If you need to undo DNSSEC activation, follow the steps below in the indicated order.

1. Remove DNSSEC information from your domain Registrar

  1. Access your domain Registrar (for example, registro.br).
  2. Navigate to the domain and expand the Change DNS Servers section.
  3. Remove the DNSSEC information.
  4. Click Save Changes to apply the settings.

2. Disable DNSSEC via API

After removing the information from the registrar, disable DNSSEC on Azion:

Terminal window
curl --request PATCH \
--url https://api.azion.com/v4/workspace/dns/zones/{zone_id}/dnssec \
--header 'Accept: application/json' \
--header 'Authorization: Bearer [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
"enabled": false
}'