DNSSEC states
This page describes different DNSSEC states and how they relate to the responses you get from the DNSSEC details API endpoint.
State | API response | Description |
---|---|---|
Pending | "status":"pending" "modified_on":<TIME_STAMP> | DNSSEC has been enabled but the Cloudflare DS record has not been added at the registrar. |
Active | "status":"active" "modified_on":<TIME_STAMP> | DNSSEC has been enabled and the Cloudflare DS record is present at the registrar. |
Pending-disabled | "status":"pending-disabled" "modified_on":<TIME_STAMP> | DNSSEC has been disabled but the Cloudflare DS record is still added at the registrar. |
Disabled | "status":"disabled" "modified_on":<TIME_STAMP> | DNSSEC has been disabled and the Cloudflare DS record has been removed from the registrar. |
Deleted | "status":"disabled" "modified_on": null | DNSSEC has never been enabled for the zone or DNSSEC has been disabled and then deleted using the Delete DNSSEC records endpoint. |
In both pending
and active
states, Cloudflare signs the zone and responds with RRSIG
, NSEC
, DNSKEY
, CDS
, and CDNSKEY
record types.
In pending-disabled
and disabled
states, Cloudflare still signs the zone and serves RRSIG
, NSEC
, and DNSKEY
record types, but the CDS
and CDNSKEY
records are set to zero (RFC 8078), signaling to the registrar that DNSSEC should be disabled.
In deleted
state, Cloudflare does not sign the zone and does not respond with RRSIG
, NSEC
, DNSKEY
, CDS
, and CDNSKEY
record types.
Refer to How DNSSEC works to learn more about the authentication process and records involved.