DNSSEC states
This page describes different DNSSEC states and how they relate to the responses you get from the DNSSEC details API endpoint.
| State | API response | Description | 
|---|---|---|
| Pending | "status":"pending""modified_on":<TIME_STAMP> | DNSSEC has been enabled but the Cloudflare DS record has not been added at the registrar. | 
| Active | "status":"active""modified_on":<TIME_STAMP> | DNSSEC has been enabled and the Cloudflare DS record is present at the registrar. | 
| Pending-disabled | "status":"pending-disabled""modified_on":<TIME_STAMP> | DNSSEC has been disabled but the Cloudflare DS record is still added at the registrar. | 
| Disabled | "status":"disabled""modified_on":<TIME_STAMP> | DNSSEC has been disabled and the Cloudflare DS record has been removed from the registrar. | 
| Deleted | "status":"disabled""modified_on": null | DNSSEC has never been enabled for the zone or DNSSEC has been disabled and then deleted using the Delete DNSSEC records endpoint. | 
In both pending and active states, Cloudflare signs the zone and responds with RRSIG, NSEC, DNSKEY, CDS, and CDNSKEY record types.
In pending-disabled and disabled states, Cloudflare still signs the zone and serves RRSIG, NSEC, and DNSKEY record types, but the CDS and CDNSKEY records are set to zero (RFC 8078 ↗), signaling to the registrar that DNSSEC should be disabled.
In deleted state, Cloudflare does not sign the zone and does not respond with RRSIG, NSEC, DNSKEY, CDS, and CDNSKEY record types.
Refer to How DNSSEC works ↗ to learn more about the authentication process and records involved.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark