Set up multi-signer DNSSEC
This page explains how you can enable multi-signer DNSSEC with Cloudflare, using the model 2 as described in RFC 8901 ↗.
Note that:
- This process requires that your other DNS provider(s) also support multi-signer DNSSEC.
- Although you can complete a few steps via the dashboard, currently the whole process can only be completed using the API.
- Enabling DNSSEC and Multi-signer DNSSEC in DNS > Settings ↗ only replaces the first step in 1. Set up Cloudflare zone. You still have to follow the rest of this tutorial to complete the setup.
If you use Cloudflare as a primary DNS provider, meaning that you manage your DNS records in Cloudflare, do the following:
- Log in to the Cloudflare dashboard ↗ and select your account and zone.
- Go to DNS > Settings.
- Select Enable DNSSEC and Confirm.
- Also enable Multi-signer DNSSEC and Multi-provider DNS.
- Go to DNS > Records and create the following records at your zone apex (meaning you should use @in the record Name field):- A DNSKEY record with the zone signing key(s) (ZSKs) of your external provider(s).
- A NS record with your external provider nameservers.
 
- Use the Edit DNSSEC Status endpoint to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set statustoactiveanddnssec_multi_signertotrue, as in the following example.
curl --request PATCH \"https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{  "status": "active",  "dnssec_multi_signer": true}'- Add the ZSK(s) of your external provider(s) to Cloudflare by creating a DNSKEY record on your zone.
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{  "type": "DNSKEY",  "name": "<ZONE_NAME>",  "data": {    "flags": 256,    "protocol": 3,    "algorithm": 13,    "public_key": "<PUBLIC_KEY>"  },  "ttl": 3600}'- Add your external provider(s) nameservers as NS records on your zone apex.
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{  "type": "NS",  "name": "<ZONE_NAME>",  "content": "<NS_DOMAIN>",  "ttl": 86400}'- Enable the usage of the nameservers you added in the previous step by using the API request below.
curl --request PATCH \"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{    "multi_provider": true}'If you use Cloudflare as a secondary DNS provider, do the following:
- Log in to the Cloudflare dashboard ↗ and select your account and zone.
- Go to DNS > Settings.
- For DNSSEC with Secondary DNS select Live signing.
- Also enable Multi-signer DNSSEC.
- Add the zone signing key(s) (ZSKs) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare.
- Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare.
- Use the Edit DNSSEC Status endpoint to enable DNSSEC and activate multi-signer DNSSEC for your zone. Set statustoactiveanddnssec_multi_signertotrue, as in the following example.
$ curl --request PATCH 'https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec' \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{  "status": "active",  "dnssec_multi_signer": true}'- 
Add the ZSK(s) of your external provider(s) to a DNSKEY record at your primary DNS provider. This record should be transferred successfully to Cloudflare. 
- 
Add your external provider(s) nameservers as NS records on your zone apex at your primary DNS provider. These records should be transferred successfully to Cloudflare. 
- Get Cloudflare's ZSK using either the API or a query from one of the assigned Cloudflare nameservers.
API example:
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec/zsk" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"Command line query example:
$ dig <ZONE_NAME> dnskey @<CLOUDFLARE_NAMESERVER> +noall +answer | grep 256- Add Cloudflare's ZSK that you fetched in the previous step to the DNSKEY record set of your external provider(s).
- Add Cloudflare's nameservers to the NS record set at your external provider(s).
- 
Add DS records to your registrar, one for each provider. You can see your Cloudflare DS record on the dashboard ↗ by going to DNS > Settings > DS Record. 
- 
Update the nameserver settings at your registrar to include the nameservers of all providers you will be using for your multi-signer DNSSEC setup. 
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark