Skip to content

Dnssec

Source: src/Cloudflare/Dns/Dnssec.ts

DNSSEC configuration for a Cloudflare zone (/zones/{zone_id}/dnssec).

DNSSEC is a per-zone singleton — it always exists in either an enabled or disabled state, so this resource never creates or deletes anything physical. Reconcile patches the configuration toward the desired state; destroy restores the state the zone had before Alchemy first managed it (enabled stays enabled, previously-disabled zones are deactivated again).

Activation is eventually consistent: after enabling, Cloudflare reports pending until the ds attribute (the DS record) is submitted at the domain’s registrar. The reconciler polls with bounded retries for the zone to leave the disabled state but does not wait for full active — that depends on the registrar.

Safety: when there is no prior state and DNSSEC is already enabled on the zone, read reports it as Unowned and the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Enabling DNSSEC

Section titled “Enabling DNSSEC”

Sign the zone

const dnssec = yield* Cloudflare.Dnssec("ZoneDnssec", {
  zoneId: zone.zoneId,
});
// Paste `dnssec.ds` at your registrar to complete activation.

Multi-signer DNSSEC

yield* Cloudflare.Dnssec("ZoneDnssec", {
  zoneId: zone.zoneId,
  dnssecMultiSigner: true,
});

Disabling DNSSEC

Section titled “Disabling DNSSEC”
yield* Cloudflare.Dnssec("ZoneDnssec", {
  zoneId: zone.zoneId,
  status: "disabled",
});