Skip to content

DNSSEC states

This page describes different DNSSEC states and how they relate to the responses you get from the DNSSEC details API endpoint.

StateAPI responseDescription
Pending"status":"pending"
"modified_on":<TIME_STAMP>
DNSSEC has been enabled but the Cloudflare DS record has not been added at the registrar.
Active"status":"active"
"modified_on":<TIME_STAMP>
DNSSEC has been enabled and the Cloudflare DS record is present at the registrar.
Pending-disabled"status":"pending-disabled"
"modified_on":<TIME_STAMP>
DNSSEC has been disabled but the Cloudflare DS record is still added at the registrar.
Disabled"status":"disabled"
"modified_on":<TIME_STAMP>
DNSSEC has been disabled and the Cloudflare DS record has been removed from the registrar.
Deleted"status":"disabled"
"modified_on": null
DNSSEC has never been enabled for the zone or DNSSEC has been disabled and then deleted using the Delete DNSSEC records endpoint.

In both pending and active states, Cloudflare signs the zone and responds with RRSIG, NSEC, DNSKEY, CDS, and CDNSKEY record types.

In pending-disabled and disabled states, Cloudflare still signs the zone and serves RRSIG, NSEC, and DNSKEY record types, but the CDS and CDNSKEY records are set to zero (RFC 8078), signaling to the registrar that DNSSEC should be disabled.

In deleted state, Cloudflare does not sign the zone and does not respond with RRSIG, NSEC, DNSKEY, CDS, and CDNSKEY record types.

Refer to How DNSSEC works to learn more about the authentication process and records involved.