DNSSEC API

This article describes a feature in Public Beta.

During the beta period, changes to the individual endpoints may occur at any time. Consider using our official clients to reduce the likelihood of breaking changes. If you are using or planning to use this endpoint we'd like to hear your feedback.

Table of Contents

Enable DNSSEC

POST /:account/domains/:domain/dnssec

Enable DNSSEC for the domain in the account. This will start signing the zone. When the signed zone is served by all name servers, it will add the DS record to the corresponding registry if the domain is registered via DNSimple. For hosted domains, you will need to add the DS record at the domain’s registrar manually.

Parameters

Name Type Description
:account integer The account id
:domain string, integer The domain name or id

Example

Enable DNSSEC for the domain example.com in the account 1010:

curl  -H 'Authorization: Bearer <token>' \
      -H 'Accept: application/json' \
      -X POST \
      https://api.dnsimple.com/v2/1010/domains/example.com/dnssec

Response

Responds with HTTP 201.

{
  "data": {
    "enabled": true,
    "created_at": "2017-03-03T13:49:58Z",
    "updated_at": "2017-03-03T13:49:58Z"
  }
}

Errors

Responds with HTTP 400 if DNSSEC cannot be enabled for the domain.

Responds with HTTP 401 in case of case of authentication issues.

Disable DNSSEC

DELETE /:account/domains/:domain/dnssec

Disable DNSSEC for the domain in the account. If the domain is registered, it will remove the DS record from the corresponding registry. If your domain is hosted, you should remove the DS record from the domain’s registrar before using this endpoint. Failure to remove the DS record within 48 hours of disabling DNSSEC will result in DNSSEC validation failures and will stop your domain from resolving with all DNSSEC-aware resolvers.

Parameters

Name Type Description
:account integer The account id
:domain string, integer The domain name or id

Example

Disable DNSSEC for the domain example.com in the account 1010:

curl  -H 'Authorization: Bearer <token>' \
      -H 'Accept: application/json' \
      -X DELETE \
      https://api.dnsimple.com/v2/1010/domains/example.com/dnssec

Response

Responds with HTTP 204 (No content). Or HTTP 428 if DNSSEC is not currently enabled.

Errors

Responds with HTTP 400 if DNSSEC cannot be disabled for the domain.

Responds with HTTP 401 in case of case of authentication issues.

Retrieve DNSSEC status

GET /:account/domains/:domain/dnssec

Get the status of DNSSEC, indicating whether it is currently enabled or disabled.

Parameters

Name Type Description
:account integer The account id
:domain string, integer The domain name or id

Example

Get the DNSSEC status for the domain example.com in the account 1010:

curl  -H 'Authorization: Bearer <token>' \
      -H 'Accept: application/json' \
      https://api.dnsimple.com/v2/1010/domains/example.com/dnssec

Response

Responds with HTTP 200.

{
  "data": {
    "enabled": true,
    "created_at": "2017-02-03T17:43:22Z",
    "updated_at": "2017-02-03T17:43:22Z"
  }
}

Errors

Responds with HTTP 401 in case of case of authentication issues.

List delegation signer records

GET /:account/domains/:domain/ds_records

List delegation signer records for the domain in the account.

Parameters

Name Type Description
:account integer The account id
:domain string, integer The domain name or id

Sorting

For general information about sorting, please refer to the main guide.

Name Description
id Sort delegation signer records by ID
created_at Sort delegation signer records by creation date

The default sorting policy is by ascending id.

Example

List all delegation signer records for the domain example.com in the account 1010:

curl  -H 'Authorization: Bearer <token>' \
      -H 'Accept: application/json' \
      https://api.dnsimple.com/v2/1010/domains/example.com/ds_records

Response

Responds with HTTP 200.

{
  "data": [
    {
      "id": 24,
      "domain_id": 1010,
      "algorithm": "8",
      "digest": "C1F6E04A5A61FBF65BF9DC8294C363CF11C89E802D926BDAB79C55D27BEFA94F",
      "digest_type": "2",
      "keytag": "44620",
      "public_key": null,
      "created_at": "2017-03-03T13:49:58Z",
      "updated_at": "2017-03-03T13:49:58Z"
    }
  ],
  "pagination": {
    "current_page": 1,
    "per_page": 30,
    "total_entries": 1,
    "total_pages": 1
  }
}

Errors

Responds with HTTP 401 in case of case of authentication issues.

Create a delegation signer record

You only need to create a delegation signer record manually if your domain is registered with DNSimple but hosted with another DNS provider that is signing your zone. To enable DNSSEC on a domain that is hosted with DNSimple, use the DNSSEC enable endpoint.

POST /:account/domains/:domain/ds_records

Parameters

Name Type Description
:account integer The account id
:domain string, integer The domain name or id

Example

Create a delegation signer record under the domain example.com in the account 1010:

curl  -H 'Authorization: Bearer <token>' \
      -H 'Accept: application/json' \
      -H 'Content-Type: application/json' \
      -X POST \
      -d '<json>' \
      https://api.dnsimple.com/v2/1010/domains/example.com/ds_records

Input

Name Type Description
algorithm string Required DNSSEC algorithms defined in http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml - pass the Number value as a string (i.e. “8”).
digest string Required if TLD requires DS data The hexidecimal representation of the digest of the corresponding DNSKEY record.
digest_type string Required if TLD requires DS data DNSSEC digest types defined in http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml - pass the Number value as string (i.e. “2”).
keytag string Required if TLD requires DS data A keytag that references the corresponding DNSKEY record.
public_key string Required if TLD requires KEY data A public key that references the corresponding DNSKEY record.

For additional information, please see https://tools.ietf.org/html/rfc4034.

Example
{
  "algorithm": "13",
  "digest": "684a1f049d7d082b7f98691657da5a65764913df7f065f6f8c36edf62d66ca03",
  "digest_type": "2",
  "keytag": "2371"
}

Response

Responds with HTTP 201 on success, renders the delegation signer record.

{
  "data": {
    "id": 2,
    "domain_id": 1010,
    "algorithm": "13",
    "digest": "684a1f049d7d082b7f98691657da5a65764913df7f065f6f8c36edf62d66ca03",
    "digest_type": "2",
    "keytag": "2371",
    "public_key": null,
    "created_at": "2017-03-03T15:24:00Z",
    "updated_at": "2017-03-03T15:24:00Z"
  }
}

Errors

Responds with HTTP 400 if the delegation signer record cannot be created.

Responds with HTTP 401 in case of case of authentication issues.

Retrieve a delegation signer record

GET /:account/domains/:domain/ds_records/:ds_record_id

Parameters

Name Type Description
:account integer The account id
:domain string, integer The domain name or id
:ds_record_id integer The delegation signer record id

Example

Get the delegation signer record 1 under the domain example.com in the account 1010:

curl  -H 'Authorization: Bearer <token>' \
      -H 'Accept: application/json' \
      https://api.dnsimple.com/v2/1010/domains/example.com/ds_records/1

Response

Responds with HTTP 200 on success, renders the delegation signer record.

{
  "data": {
    "id": 24,
    "domain_id": 1010,
    "algorithm": "8",
    "digest": "C1F6E04A5A61FBF65BF9DC8294C363CF11C89E802D926BDAB79C55D27BEFA94F",
    "digest_type": "2",
    "keytag": "44620",
    "public_key": null,
    "created_at": "2017-03-03T13:49:58Z",
    "updated_at": "2017-03-03T13:49:58Z"
  }
}

Errors

Responds with HTTP 401 in case of case of authentication issues.

Delete a Delegation Signer record

DELETE /:account/domains/:domain/ds_records/:ds_record_id

Parameters

Name Type Description
:account integer The account id
:domain string, integer The domain name or id
:ds_record_id integer The delegation signer record id

Example

Get the delegation signer record 1 under the domain example.com in the account 1010:

curl  -H 'Authorization: Bearer <token>' \
      -H 'Accept: application/json' \
      https://api.dnsimple.com/v2/1010/domains/example.com/ds_records/1

Response

Responds with HTTP 204 on success.

Errors

Responds with HTTP 400 if the delegation signer record cannot be deleted.

Responds with HTTP 401 in case of case of authentication issues.