> ## Documentation Index
> Fetch the complete documentation index at: https://apidocs.atom.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable DNSSEC

> Enable DNSSEC for a domain.

## Nameserver behavior

| Nameserver type | Key fields (`flags`, `algorithm`, `protocol`, `public_key`) |
|---|---|
| **Atom / Parking nameservers** | **Ignored.** DNSSEC is fully auto-managed: Atom generates and rotates keys automatically. You do not need to supply any key fields — if you do, they are silently discarded. |
| **Custom nameservers** | **Required.** All four fields must be provided. The supplied key is pushed directly to the upstream registrar. |

> **Note:** If your domain uses Atom or Parking nameservers (e.g. `ns1.atom.com`, `ns1.squadhelp.com`, `ns1.atomregistrar.com`), the algorithm, protocol, flags, and public key in the request body have **no effect**. DNSSEC is automatically applied and managed by Atom.



## OpenAPI

````yaml POST /registrar/v1/domains/{domain_name}/dnssec/enable
openapi: 3.0.0
info:
  title: Atom Registrar API
  version: 1.0.0
  description: >-
    REST API for domain registration, DNS management, and domain operations.
    Authentication via Bearer token in Authorization header.
servers:
  - url: https://www.atom.com/api
    description: Production server
  - url: https://dev.atom.com/api
    description: Development server
security:
  - BearerAuth: []
paths:
  /registrar/v1/domains/{domain_name}/dnssec/enable:
    post:
      tags:
        - DNS Management
      summary: Enable DNSSEC
      description: >-
        Enable DNSSEC for a domain.


        ## Nameserver behavior


        | Nameserver type | Key fields (`flags`, `algorithm`, `protocol`,
        `public_key`) |

        |---|---|

        | **Atom / Parking nameservers** | **Ignored.** DNSSEC is fully
        auto-managed: Atom generates and rotates keys automatically. You do not
        need to supply any key fields — if you do, they are silently discarded.
        |

        | **Custom nameservers** | **Required.** All four fields must be
        provided. The supplied key is pushed directly to the upstream registrar.
        |


        > **Note:** If your domain uses Atom or Parking nameservers (e.g.
        `ns1.atom.com`, `ns1.squadhelp.com`, `ns1.atomregistrar.com`), the
        algorithm, protocol, flags, and public key in the request body have **no
        effect**. DNSSEC is automatically applied and managed by Atom.
      operationId: enableDnssec
      parameters:
        - name: domain_name
          in: path
          required: true
          description: Domain name (e.g. `example.com`)
          schema:
            type: string
      requestBody:
        required: false
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EnableDnssecRequest'
      responses:
        '200':
          description: DNSSEC enabled successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EnableDnssecResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/UnauthorizedError'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
      security:
        - BearerAuth: []
components:
  schemas:
    EnableDnssecRequest:
      type: object
      description: >-
        DNSSEC key fields for enabling DNSSEC.


        **Atom / Parking nameservers:** All fields are optional and will be
        ignored — DNSSEC is auto-managed.


        **Custom nameservers:** `flags`, `algorithm`, `protocol`, and
        `public_key` are required. `digest_type` is optional (defaults to `2` /
        SHA-256).
      properties:
        flags:
          type: integer
          description: >-
            DNSKEY flags. `256` = ZSK (Zone Signing Key), `257` = KSK (Key
            Signing Key). **Ignored for Atom/Parking nameservers.**
          enum:
            - 256
            - 257
          example: 256
        algorithm:
          type: integer
          description: |-
            DNSKEY algorithm number. **Ignored for Atom/Parking nameservers.**

            | Value | Algorithm |
            |---|---|
            | `3` | DSA/SHA-1 |
            | `5` | RSA/SHA-1 |
            | `6` | DSA-NSEC3-SHA1 |
            | `7` | RSASHA1-NSEC3-SHA1 |
            | `8` | RSA/SHA-256 |
            | `10` | RSA/SHA-512 |
            | `12` | GOST R 34.10-2001 |
            | `13` | ECDSA P-256/SHA-256 |
            | `14` | ECDSA P-384/SHA-384 |
            | `15` | Ed25519 |
            | `16` | Ed448 |
            | `17` | SM2/SM3 |
            | `23` | GOST R 34.10-2012 |
          enum:
            - 3
            - 5
            - 6
            - 7
            - 8
            - 10
            - 12
            - 13
            - 14
            - 15
            - 16
            - 17
            - 23
          example: 13
        protocol:
          type: integer
          description: >-
            DNSKEY protocol. Must be `3` (the only valid value per RFC 4034).
            **Ignored for Atom/Parking nameservers.**
          enum:
            - 3
          example: 3
        public_key:
          type: string
          description: >-
            Base64-encoded public key material from your DNS provider. **Ignored
            for Atom/Parking nameservers.**
          example: AwEAAaz/tAm8yeTHkmTpF84YtQQKDE2S...
        digest_type:
          type: integer
          description: >-
            Digest algorithm used to compute the DS record returned in the
            response. Defaults to `2` (SHA-256). **Ignored for Atom/Parking
            nameservers.**


            | Value | Algorithm | Notes |

            |---|---|---|

            | `1` | SHA-1 | Legacy; avoid for new deployments |

            | `2` | SHA-256 | **Recommended** (default) |

            | `3` | GOST R 34.11-94 | Requires server-side GOST engine |

            | `4` | SHA-384 | High-security deployments |
          enum:
            - 1
            - 2
            - 3
            - 4
          default: 2
          example: 2
    EnableDnssecResponse:
      type: object
      properties:
        success:
          type: boolean
          example: true
        message:
          type: string
          example: DNSSEC enabled successfully
        data:
          type: object
          properties:
            domain_name:
              type: string
              example: example.com
            dnssec_enabled:
              type: boolean
              example: true
            auto_managed:
              type: boolean
              description: >-
                `true` when Atom/Parking nameservers are in use and DNSSEC is
                auto-managed. `false` when custom nameservers are used and
                caller-supplied keys were applied.
              example: true
            key_data:
              type: array
              description: >-
                Active DNSKEY records. Populated for Atom/Parking NS; echoes
                supplied key for custom NS.
              items:
                type: object
                properties:
                  flags:
                    type: integer
                    example: 256
                  algorithm:
                    type: integer
                    example: 13
                  protocol:
                    type: integer
                    example: 3
                  publicKey:
                    type: string
                    example: AwEAAaz/tAm8yeTHkmTp...
            ds_record:
              type: object
              nullable: true
              description: >-
                DS record computed from the supplied DNSKEY using the requested
                `digest_type`. `null` for Atom/Parking nameservers
                (auto-managed) or if DS generation fails.
              properties:
                keyTag:
                  type: integer
                  description: Key tag (RFC 4034 Appendix B).
                  example: 40741
                algorithm:
                  type: integer
                  description: >-
                    DNSKEY algorithm number (matches the `algorithm` supplied in
                    the request).
                  example: 13
                digestType:
                  type: integer
                  description: >-
                    Digest type used (matches the `digest_type` supplied in the
                    request, or `2` if omitted).
                  example: 2
                digest:
                  type: string
                  description: Uppercase hex digest string.
                  example: >-
                    49FD46E6C4B45C55D4AC69CBD3CD34AC1AFC42F7E79AC26D0986B31EF3AD27A7
    ErrorResponse:
      type: object
      properties:
        success:
          type: boolean
          example: false
        error:
          type: string
          example: Bad Request
        message:
          type: string
          example: Invalid input provided
  responses:
    BadRequest:
      description: Bad request - invalid parameters
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    UnauthorizedError:
      description: Authentication failed - invalid or revoked API token
      content:
        application/json:
          schema:
            type: object
            properties:
              success:
                type: boolean
                example: false
              error:
                type: string
                example: Unauthorized
              message:
                type: string
                example: >-
                  Invalid registrar API token or access has been revoked. Please
                  request registrar API access from your dashboard.
    Forbidden:
      description: Forbidden - operation not allowed for this domain
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotFound:
      description: Resource not found
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    InternalServerError:
      description: Internal server error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      description: >-
        Registrar API Bearer token. Obtain from dashboard at
        /dashboard/seller/api-access after requesting Registrar API access.

````