manageDomainDNS — Managing DNS records

The manageDomainDNS method adds, updates, and deletes DNS records for a given site.

If you’re setting nameservers for your customers after provisioning the add-on, you may want to skip the configuration step in the customer dashboard. See Changing the status of DNS for more details.

When the value of state is pending, you cannot call manageDomainDNS since the DNS add-on is being provisioned. To find out the current value of state, call getDomainDNSInfo.

The API endpoint is:

https://api.sitelock.com/v1/partner

Adding DNS records

You can add multiple DNS records in a single call.

Request format

SiteLockOnlineRequest: This element is used to delineate the full API request.
- authentication: The partner’s username, password, and branding
  - username: The partner’s API username
  - password: The partner’s API password
  - partner: (Optional) The brand name to use in messaging
- manageDomainDNS: The method name
  - site_id: The ID of the site for which to add DNS records
  - action: The add_record action adds the DNS records.
  - record: (Repeatable) A DNS record
    
    type: The type of a DNS record. The value can be one of the following:
    
    A: This record maps a domain or subdomain to an IPv4 address. To add a record of this type for a root domain, pass an empty value to the host element and an IPv4 address to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and an IPv4 address to the respective elements.
    
    AAAA: This record maps a domain or subdomain to an IPv6 address. To add a record of this type for a root domain, pass an empty value to the host element and an IPv6 address to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and an IPv4 address to the respective elements.
    
    ALIAS: This record maps a domain or subdomain to another domain or subdomain. To add a record of this type for a root domain, pass an empty value to the host element and a domain to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and a domain to the respective elements.
    
    CAA: This record specifies the CA that is allowed to issue certificates for a domain. If no CAA record is present, any CA is allowed to issue a certificate for the domain. To add a record of this type for a root domain, pass an empty value to the host element and the CA domain to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and the CA domain to the respective fields. A CAA record also requires the flag and tag elements.
    
    CNAME: This record maps a domain or subdomain to another domain or subdomain. To add a record of this type, pass a subdomain (without the dot and root domain) to the host element and a domain name to the target element. A CNAME record should only be used when there are no other records for that name.
    
    MX: This record specifies the mail server responsible for accepting email messages on behalf of a domain name. To add a record of this type, pass a subdomain (without the dot and root domain) to the host element and a domain name to the target element. An MX record also requires the priority element.
    
    NS: This record specifies which nameservers are authoritative for a domain. To add a record of this type, pass a subdomain (without the dot and root domain) to the host element and a domain name to the target element.
    
    TXT: This record allows domain administrators to insert text content into DNS records (for example, to prove domain ownership). To add a record of this type for a root domain, pass an empty value to the host element and the text content to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and the text content to the respective fields.
    
    SRV: This record specifies the domain and port for specific services such as voice over IP (VoIP), instant messaging, and so on. To add a record of this type for a root domain, pass an empty value to the host element and a domain to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and a domain to the respective fields. A SRV record also requires the port, service, protocol, weight, and priority elements.
    
    host: If the value is a subdomain, then the element will contain the subdomain name. If it’s a domain, leave the value empty.
    
    target: The target IP address, domain, or subdomain. The value depends on the type of DNS record.
    
    TTL: The DNS TTL in seconds. The value can be one of the following:
    
    120: The record is cached for 120 seconds.
    
    300: The record is cached for 300 seconds.
    
    600: The record is cached for 600 seconds.
    
    1800: The record is cached for 1,800 seconds.
    
    3600: The record is cached for 3,600 seconds.
    
    21600: The record is cached for 21,600 seconds.
    
    43200: The record is cached for 43,200 seconds.
    
    86400: The record is cached for 86,400 seconds.
    
    flag: A flags byte implements an extensible signaling system for future use in CAA records. The value can be in the range of 0-255.
    
    tag: The tag portion of a CAA record. The value can be one of the following:
    
    issue: Authorizes a single certificate authority to issue a certificate of any type for the domain.
    
    issuewild: Authorizes a single certificate authority to issue only a wildcard certificate for the domain.
    
    iodef: Specifies the URL to which a certificate authority may report policy violations.
    
    priority: An integer value indicating the priority of the target domain. A smaller value indicates a higher priority. If there’s only one record, the priority isn’t applied.
    
    weight: A relative weight for records with the same priority. A higher value means more preferred. The value can be in the range of 0-65535.
    
    port: The TCP or UDP port on which the service listens. The value can be in the range of 0-65535.
    
    service: The symbolic name of the service in a SRV record
    
    protocol: The transport protocol of the service in a SRV record. This is usually either TCP or UDP.

Example request

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <manageDomainDNS>
        <site_id>12</site_id>
        <action>add_record</action>
        <record>
            <type>A</type>
            <host></host>
            <target>192.158.1.38</target>
            <ttl>120</ttl>
        </record>
        <record>
            <type>AAAA</type>
            <host>docs</host>
            <target>2001:db8:3333:4444:5555:6666:7777:8888</target>
            <ttl>300</ttl>
        </record>
        <record>
            <type>ALIAS</type>
            <host></host>
            <target>ottawa.example.com</target>
            <ttl>600</ttl>
           </record>
        <record>
            <type>CAA</type>
            <host></host>
            <target>example.com</target>
            <ttl>1800</ttl>
            <flag>1</flag>
            <tag>issue</tag>
        </record>
        <record>
            <type>CNAME</type>
            <host>www</host>
            <target>example.com</target>
            <ttl>3600</ttl>
        </record>
        <record>
            <type>MX</type>
            <host>mail</host>
            <target>example.com</target>
            <ttl>21600</ttl>
            <priority>1</priority>
        </record>
        <record>
            <type>NS</type>
            <host>ns1</host>
            <target>example.com</target>
            <ttl>43200</ttl>
        </record>
        <record>
            <type>TXT</type>
            <host>bikes</host>
            <target>This is text</target>
            <ttl>86400</ttl>
        </record>
        <record>
            <type>SRV</type>
            <host>server</host>
            <target>example.com</target>
            <ttl>3600</ttl>
            <priority>2</priority>
            <weight>5</weight>
            <port>5223</port>
            <service>XMPP</service>
            <protocol>TCP</protocol>
        </record>
    </manageDomainDNS>
</SiteLockOnlineRequest>

Response format

SiteLockOnlineResponse: This element is used to delineate the full API response.
- manageDomainDNS: The method name
  - record: (Repeatable) A DNS record
    
    type: The type of the DNS record. The value can be one of the following:
    
    A: This record maps a domain or subdomain to an IPv4 address.
    
    AAAA: This record maps a domain or subdomain to an IPv6 address.
    
    ALIAS: This record maps a domain or subdomain to another domain or subdomain.
    
    CAA: This record specifies the CA that is allowed to issue certificates for a domain.
    
    CNAME: This record maps a domain or subdomain to another domain or subdomain.
    
    MX: This record specifies the mail server responsible for accepting email messages on behalf of a domain name.
    
    NS: This record specifies which nameservers are authoritative for a domain.
    
    TXT: This record allows domain administrators to insert text content into DNS records, for example, to prove domain ownership.
    
    SRV: This record specifies the domain and port for specific services such as voice over IP (VoIP), instant messaging, and so on.
    
    host: If the value is a subdomain, then the element will contain the subdomain name. If it’s a domain, leave the value empty.
    
    target: The target IP address, domain, or subdomain. The value depends on the type of the DNS record.
    
    TTL: The DNS TTL in seconds. The value can be one of the following:
    
    120: The record is cached for 120 seconds.
    
    300: The record is cached for 300 seconds.
    
    600: The record is cached for 600 seconds.
    
    1800: The record is cached for 1,800 seconds.
    
    3600: The record is cached for 3,600 seconds.
    
    21600: The record is cached for 21,600 seconds.
    
    43200: The record is cached for 43,200 seconds.
    
    86400: The record is cached for 86,400 seconds.
    
    flag: A flags byte implements an extensible signaling system for future use in CAA records. The value can be in the range of 0-255.
    
    tag: The tag portion of a CAA record. The value can be one of the following:
    
    issue: Authorizes a single certificate authority to issue a certificate of any type for the domain.
    
    issuewild: Authorizes a single certificate authority to issue only a wildcard certificate for the domain.
    
    iodef: Specifies the URL to which a certificate authority may report policy violations.
    
    priority: An integer value indicating the priority of the target domain. A smaller value indicates a higher priority. If there’s only one record, the priority isn’t applied.
    
    weight: A relative weight for records with the same priority. A higher value means more preferred. The value can be in the range of 0-65535.
    
    port: The TCP or UDP port on which the service listens. The value can be in the range of 0-65535.
    
    service: The symbolic name of the service in a SRV record.
    
    protocol: The transport protocol of the service in a SRV record. This is usually either TCP or UDP.
    
    uuid: A unique UUID string that identifies the DNS record.
  - status: The status of the request. The value can be either ok or error.

Example response

This example contains one of the DNS records returned.

<SiteLockOnlineResponse>
    <manageDomainDNS>
        <record>
            <host></host>
            <priority>0</priority>
            <target>192.158.1.38</target>
            <ttl>120<ttl>
            <type>A</type>
            <uuid>f0f4eda0-3f47-45c1-8ba8-092f41193314</uuid>
        </record>
        <status>ok</status>
    </manageDomainDNS>
</SiteLockOnlineResponse>

Importing DNS records

You can import a BIND zone file for a domain. You import one zone at a time, no more than 500 records per zone.

Request format

SiteLockOnlineRequest: This element is used to delineate the full API request.
- authentication: The partner’s username, password, and branding
  - username: The partner’s API username
  - password: The partner’s API password
  - partner: (Optional) The brand name to use in messaging
- manageDomainDNS: The method name
  - site_id: The ID of the site for which to import the DNS zone file
  - action: The import_bind action imports a BIND zone file
  - bindFileContents: The contents of a BIND zone file
    
    The contents must be placed within the CDATA wrapper <![CDATA[ .. ]]>.

Example request

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <manageDomainDNS>
        <site_id>12</site_id>
        <action>import_bind</action>
        <bindFileContents>
            <![CDATA[
                $ORIGIN example.com.
                $TTL 3600
                example.com. 3600 IN SOA ns1.sectigoweb.com. admin.example.com. 1111111111 86400 7200 604800 3600
                example.com 3600 IN NS ns1.sectigo.web.com.
                example.com 3600 IN NS ns2.sectigo.web.com.
                example.com 3600 IN NS ns3.sectigo.web.com.
                example.com 3600 IN NS ns4.sectigo.web.com.
                www.example.com. 3600 IN A 162.242.172.9
                app.example.com. 3600 IN A 162.242.172.9
                mail.example.com. 3600 IN A 162.242.172.9
            ]]>
        </bindFileContents>
    </manageDomainDNS>
</SiteLockOnlineRequest>

Response format

SiteLockOnlineResponse: This element is used to delineate the full API response.
- manageDomainDNS: The method name
  - succeeded: A list of records that were successfully imported.
    
    record: (Repeatable) A DNS record
    
    host: The hostname or domain name that was imported
    
    priority: An integer value indicating the priority of the target domain
    
    target: The target IP address, domain, or subdomain
    
    TTL: The DNS TTL in seconds
    
    type: The type of the DNS record
    
    uuid: A unique UUID string that identifies the DNS record
  - failed: A list of records that couldn’t be imported.
    
    record: (Repeatable) A DNS record
    
    error: A message explaining the error if a record couldn’t be imported
  - status: The possible values are ok and error. The status will be ok if at least one record was successfully imported.

Example response

<SiteLockOnlineResponse>
    <manageDomainDNS>
        <succeeded>
            <record>
                <host>www.example.com</host>
                <priority>0</priority>
                <target>162.242.172.9</target>
                <ttl>3600</ttl>
                <type>A</type>
                <uuid>cdd4842e-74e9-4226-9651-dced65f332c9</uuid>
            </record>
            <record>
                <host>app.example.com</host>
                <priority>0</priority>
                <target>162.242.172.9</target>
                <ttl>3600</ttl>
                <type>A</type>
                <uuid>1afb3aa3-31f5-4153-95e2-bfa9eff163cb</uuid>
            </record>
        </succeeded>
        <failed>
            <record>
                <error>zone record already exists</error>
                <host>mail.example.com.</host>
                <priority></priority>
                <target>162.242.172.9</target>
                <ttl>3600</ttl>
                <type>A</type>
                <uuid></uuid>
            </record>
        </failed>
        <status>ok</status>
    </manageDomainDNS>
</SiteLockOnlineResponse>

Exporting DNS records

You can export DNS records for a domain into a BIND zone file.

Request format

SiteLockOnlineRequest: This element is used to delineate the full API request.
- authentication: The partner’s username, password, and branding
  - username: The partner’s API username
  - password: The partner’s API password
  - partner: (Optional) The brand name to use in messaging
- manageDomainDNS: The method name
  - site_id: The ID of the site for which to export DNS records
  - action: The export_bind action exports DNS records.

Example request

<SiteLockOnlineRequest>
    <authentication>
        <user>valid</user>
        <password>valid</password>
    </authentication>
    <manageDomainDNS>
        <site_id>12/site_id>
        <action>export_bind</action>
    </manageDomainDNS>
</SiteLockOnlineRequest>

Response format

SiteLockOnlineResponse: This element is used to delineate the full API response.
- manageDomainDNS: The method name
  - status: The possible values are ok and error.
  - bindFile: The contents of a BIND zone file

Example response

<SiteLockOnlineResponse>
    <status>ok</status>
    <bindFile>
        <![CDATA[
          $ORIGIN example.com.
                $TTL 3600
                example.com. 3600 IN SOA ns1.sectigoweb.com. admin.example.com. 1111111111 86400 7200 604800 3600
                example.com 3600 IN NS ns1.sectigo.web.com.
                example.com 3600 IN NS ns2.sectigo.web.com.
                example.com 3600 IN NS ns3.sectigo.web.com.
                example.com 3600 IN NS ns4.sectigo.web.com.
                www.example.com. 3600 IN A 162.242.172.9
                app.example.com. 3600 IN A 162.242.172.9
                mail.example.com. 3600 IN A 162.242.172.9
        ]]>
    </bindFile>
</SiteLockOnlineResponse>

Updating DNS records

You can update one record at a time.

Request format

SiteLockOnlineRequest: This element is used to delineate the full API request.
- authentication: The partner’s username, password, and branding
  - username: The partner’s API username
  - password: The partner’s API password
  - partner: (Optional) The brand name to use in messaging
- manageDomainDNS: The method name
  - site_id: The ID of the site for which to update the DNS record
  - action: The update_record action updates the DNS record.
  - record: The DNS record details
    
    uuid: A unique UUID string, as returned by getDomainDNSInfo.
    
    type: The type of the DNS record. The value can be one of the following:
    
    A: This record maps a domain or subdomain to an IPv4 address. To add a record of this type for a root domain, pass an empty value to the host element and an IPv4 address to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and an IPv4 address to respective elements.
    
    AAAA: This record maps a domain or subdomain to an IPv6 address. To add a record of this type for a root domain, pass an empty value to the host element and an IPv6 address to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and an IPv4 address to respective elements.
    
    ALIAS: This record maps a domain or subdomain to another domain or subdomain. To add a record of this type for a root domain, pass an empty value to the host element and a domain to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and a domain to respective elements.
    
    CAA: This record specifies the CA that is allowed to issue certificates for a domain. If no CAA record is present, any CA is allowed to issue a certificate for the domain. To add a record of this type for a root domain, pass an empty value to the host element and the CA domain to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and the CA domain to respective fields. A CAA record also requires the flag and tag elements.
    
    CNAME: This record maps a domain or subdomain to another domain or subdomain. To add a record of this type, pass a subdomain (without the dot and root domain) to the host element and a domain name to the target element. A CNAME record should only be used when there are no other records for that name.
    
    MX: This record specifies the mail server responsible for accepting email messages on behalf of a domain name. To add a record of this type, pass a subdomain (without the dot and root domain) to the host element and a domain name to the target element. An MX record also requires the priority element.
    
    NS: This record specifies which nameservers are authoritative for a domain. To add a record of this type, pass a subdomain (without the dot and root domain) to the host element and a domain name to the target element.
    
    TXT: This record allows domain administrators to insert text content into DNS records, for example, to prove domain ownership. To add a record of this type for a root domain, pass an empty value to the host element and the text content to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and the text content to respective fields.
    
    SRV: This record specifies the domain and port for specific services such as voice over IP (VoIP), instant messaging, and so on. To add a record of this type for a root domain, pass an empty value to the host element and a domain to the target element. For a subdomain, pass the subdomain part (without the dot and root domain) and a domain to respective fields. A SRV record also requires the port, service, protocol, weight, and priority elements.
    
    host: If the value is a subdomain, then the element will contain the subdomain name. If it’s a domain, leave the value empty.
    
    target: The target IP address, domain, or subdomain. The value depends on the type of the DNS record.
    
    TTL: The DNS TTL in seconds. The value can be one of the following:
    
    120: The record is cached for 120 seconds.
    
    300: The record is cached for 300 seconds.
    
    600: The record is cached for 600 seconds.
    
    1800: The record is cached for 1,800 seconds.
    
    3600: The record is cached for 3,600 seconds.
    
    21600: The record is cached for 21,600 seconds.
    
    43200: The record is cached for 43,200 seconds.
    
    86400: The record is cached for 86,400 seconds.
    
    flag: A flags byte implements an extensible signaling system for future use in CAA records. The value can be in the range of 0-255.
    
    tag: The tag portion of a CAA record. The value can be one of the following:
    
    issue: Authorizes a single certificate authority to issue a certificate of any type for the domain.
    
    issuewild: Authorizes a single certificate authority to issue only a wildcard certificate for the domain.
    
    iodef: Specifies the URL to which a certificate authority may report policy violations.
    
    priority: An integer value indicating the priority of the target domain. A smaller value indicates a higher priority. If there’s only one record, the priority isn’t applied.
    
    weight: A relative weight for records with the same priority. A higher value means more preferred. The value can be in the range of 0-65535.
    
    port: The TCP or UDP port on which the service listens. The value can be in the range of 0-65535.
    
    service: The symbolic name of the service in a SRV record
    
    protocol: The transport protocol of the service in a SRV record. This is usually either TCP or UDP.

Example request

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <manageDomainDNS>
        <site_id>12</site_id>
        <action>update_record</action>
        <record>
            <uuid>f0f4eda0-3f47-45c1-8ba8-092f41193314</uuid>
            <type>A</type>
            <host>docs</host>
            <target>192.158.1.39</target>
            <ttl>3600</ttl>
       </record>
    </manageDomainDNS>
 </SiteLockOnlineRequest>

Response format

SiteLockOnlineResponse: This element is used to delineate the full API response.
- manageDomainDNS: The method name
  - record: (Repeatable) A DNS record
    
    host: If the value is a subdomain, then the element will contain the subdomain name. If it’s a domain, an empty value is returned.
    
    type: The type of the DNS record. The value can be one of the following:
    
    A: This record maps a domain or subdomain to an IPv4 address.
    
    AAAA: This record maps a domain or subdomain to an IPv6 address.
    
    ALIAS: This record maps a domain or subdomain to another domain or subdomain.
    
    CAA: This record specifies the CA that is allowed to issue certificates for a domain. If no CAA record is present, any CA is allowed to issue a certificate for the domain.
    
    CNAME: This record maps a domain or subdomain to another domain or subdomain.
    
    MX: This record specifies the mail server responsible for accepting email messages on behalf of a domain name.
    
    NS: This record specifies which nameservers are authoritative for a domain.
    
    TXT: This record allows domain administrators to insert text content into DNS records, for example, to prove domain ownership.
    
    SRV: This record specifies the domain and port for specific services such as voice over IP (VoIP), instant messaging, and so on.
    
    target: The target IP address, domain, or subdomain. The value depends on the type of the DNS record.
    
    TTL: The DNS TTL in seconds. The value can be one of the following:
    
    120: The record is cached for 120 seconds.
    
    300: The record is cached for 300 seconds.
    
    600: The record is cached for 600 seconds.
    
    1800: The record is cached for 1,800 seconds.
    
    3600: The record is cached for 3,600 seconds.
    
    21600: The record is cached for 21,600 seconds.
    
    43200: The record is cached for 43,200 seconds.
    
    86400: The record is cached for 86,400 seconds.
    
    flag: A flags byte implements an extensible signaling system for future use in CAA records. The value can be in the range of 0-255.
    
    tag: The tag portion of a CAA record. The value can be one of the following:
    
    issue: Authorizes a single certificate authority to issue a certificate of any type for the domain.
    
    issuewild: Authorizes a single certificate authority to issue only a wildcard certificate for the domain.
    
    iodef: Specifies the URL to which a certificate authority may report policy violations.
    
    priority: An integer value indicating the priority of the target domain. A smaller value indicates a higher priority. If there’s only one record, the priority isn’t applied.
    
    weight: A relative weight for records with the same priority. A higher value means more preferred. The value can be in the range of 0-65535.
    
    port: The TCP or UDP port on which the service listens. The value can be in the range of 0-65535.
    
    service: The symbolic name of the service in a SRV record
    
    protocol: The transport protocol of the service in a SRV record. This is usually either TCP or UDP.
    
    uuid: A unique UUID string that identifies the DNS record
  - status: The status of the request. The value can be either ok or error.

Example response

<SiteLockOnlineResponse>
    <manageDomainDNS>
        <record>
            <host></host>
            <priority>0</priority>
            <target>192.158.1.39</target>
            <ttl>3600<ttl>
            <type>A</type>
            <uuid>f0f4eda0-3f47-45c1-8ba8-092f41193314</uuid>
        </record>
        <status>ok</status>
    </manageDomainDNS>
</SiteLockOnlineResponse>

Deleting DNS records

You can delete multiple records in a single call.

Request format

SiteLockOnlineRequest: This element is used to delineate the full API request.
- authentication: The partner’s username, password, and branding
  - username: The partner’s API username
  - password: The partner’s API password
  - partner: (Optional) The brand name to use in messaging
- manageDomainDNS: The method name
  - site_id: The ID of the site for which to delete the DNS record
  - action: The update_record action deletes the DNS records.
  - record: (Repeatable) A DNS record
    
    uuid: A unique UUID string, as returned by getDomainDNSInfo.

Example request

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <manageDomainDNS>
        <site_id>12</site_id>
        <method>delete_record</method>
        <record>
            <uuid>f0f4eda0-3f47-45c1-8ba8-092f41193314</uuid>
        </record>
         ...
        <record>
            <uuid>k0f4nda0-3f43-45v1-8ma8-082f41193314</uuid>
        </record>
    </manageDomainDNS>
</SiteLockOnlineRequest>

Response format

SiteLockOnlineResponse: This element is used to delineate the full API response.
- manageDomainDNS: The method name
  - status: The status of the request. The value can be either ok or error.

Example response

<SiteLockOnlineResponse>
    <manageDomainDNS>
        <status>ok</status>
    </manageDomainDNS>
</SiteLockOnlineResponse>

Changing the status of DNS

The status of the DNS service can be configured using the API or by the end user within the SiteLock Dashboard DNS Configuration Wizard.

Request format

SiteLockOnlineRequest: This element is used to delineate the full API request.
- authentication: The partner’s username, password, and branding
  - username: The partner’s API username
  - password: The partner’s API password
  - partner: (Optional) The brand name to use in messaging
- manageDomainDNS: The method name
  - site_id: The ID of the site for which to update the status of the DNS service
  - action: The update_domain action changes the status of the DNS service.
  - configured: The status of the DNS service. The value can be one of the following:
    
    1: The DNS records are configured and the domain’s nameservers point to SiteLock.
    
    0: The DNS records aren’t yet configured. The SiteLock Dashboard will prompt the user to configure them.

Example request

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <manageDomainDNS>
        <site_id>12</site_id>
        <action>update_domain</action>
        <configured>1</configured>
    </manageDomainDNS>
</SiteLockOnlineRequest>

Response format

SiteLockOnlineResponse: This element is used to delineate the full API response.
- manageDomainDNS: The method name
  - configured: The status of the DNS service. The value can be one of the following:
    
    1: The DNS records are configured and the domain’s nameservers point to SiteLock.
    
    0: The DNS records aren’t yet configured. The SiteLock Dashboard will prompt the user to configure them.
  - site_id: The ID of the site for which the status of the DNS service was updated
  - status: The status of the request. The value can be either ok or error.

Example response

<SiteLockOnlineResponse>
    <manageDomainDNS>
        <configured>1</configured>
        <site_id>12</site_id>
        <status>ok</status>
    </manageDomainDNS>
</SiteLockOnlineResponse>

DNSSEC

You can enable DNSSEC for the user. DNSSEC brings an additional layer of trust to DNS resolution by providing authentication. Cryptographically signed DNS records help verify that a requested DNS record comes from its authoritative nameserver and wasn’t tampered with in transit.

Before configuring the DNSSEC feature, make sure that the DNS records are configured and the domain’s nameservers point to SiteLock, by calling getDomainDNSInfo. The DNSSEC feature must be included in the plan.

Enabling DNSSEC

Follow these instructions to enable DNSSEC:

If you manage DNSSEC key rotation for the user, provide the webhook URL and set the value of dns_key_rotation to partner. If the user takes care of the key rotation process themselves through the dashboard, skip this step.

Set the webhook URL once for your partner account—it’s applied to all DNS licenses where DNSSEC key rotation is handled by you. The URL must use HTTPS and the webhook handler should be able to receive HTTP POST requests.

If you only provision Standard DNS for the user, you don’t need to set the webhook URL since DNS key rotation isn’t available in Standard DNS.
```
<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <setWebhook>
        <dnssec_rotation>https://webhook.domain.com</dnssec_rotation>
    </setWebhook>
</SiteLockOnlineRequest>
```

Set dns_key_rotation to partner. This setting is applied for specific sites.

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <manageDomainDNS>
        <site_id>12</site_id>
        <action>update_domain</action>
        <dns_key_rotation>partner</dns_key_rotation>
    </manageDomainDNS>
</SiteLockOnlineRequest>

You may also pass this element directly in a provisionAccount or provisionAddon call to reduce the number of API calls.

provisionAccount
provisionAddon

<siteInformation>
    <subscription>8</subscription>
    <addon>123</addon>
    <renewal_date>2015-01-01</renewal_date>
    <domain>johnsmith.com</domain>
    <domainEmail>[email protected]</domainEmail>
    <trustedDomain>yes</trustedDomain>
    <dns_key_rotation>partner</dns_key_rotation>
</siteInformation>

<provisionAddon>
    <addonInfo>
        <site_id>12</site_id>
        <subscription>XXX</subscription>
        <renewal_date>2022-03-03</renewal_date>
        <dns_key_rotation>partner</dns_key_rotation>
    </addonInfo>
</provisionAddon>

Enable DNSSEC.

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <manageDomainDNS>
        <site_id>12</site_id>
        <action>update_domain</action>
        <dnssec_enabled>1</dnssec_enabled>
    </manageDomainDNS>
</SiteLockOnlineRequest>

After enabling DNSSEC, two DNSKEY records and a DS record are generated by SiteLock. These read-only records are returned to the user through the dashboard or to the partner through the getDomainDNSInfo method. You need to provide the DS record to the domain registrar to have them add it for the domain at the TLD level. Most registrars will only require a DS record, however, some registrars and domain names (TLD) have different requirements for DNSSEC data, and if so, you may also need to pass the two DNSKEY records.
If you handle DNS key rotation for the user, listen for the website_dnssec_rotation_start webhook event and be ready to receive and parse a JSON message from SiteLock containing the records.

DNS key rotation

DNSKEY records (public signing keys) and DS records (the hash of a DNSKEY record) must be rotated every 90 days. When the rotation window starts, a website_dnssec_rotation_start event is sent notifying you that the key rotation window has opened.

During a 7-day key rotation window, a new DS record and two corresponding DNSKEY records, which contain a zone-signing key (ZSK) and key signing key (KSK), are generated and sent as a POST request to the webhook URL. During the rotation period, two DS records exist—the old record currently in use by the registrar, and the new record that’s not in use yet.

DNS key rotation is only available for users of Premium DNS.

{
  "webhook_url": "https://webhook.site/fd5ca426-e789-407a-8299-abc49b8b6b09",
  "message": {
    "body": {
      "delegation_signer_record": {
        "ds_records": [
          {
            "algorithm": "8",
            "created_at": "2021-08-06T13:37:43Z",
            "updated_at": "2021-08-06T13:37:43Z",
            "digest": "1234A123456BC1D1E12FGH5C27FBE58CF5F35BA52E536A5D3ED4F9D00E057128",
            "digest_type": "2",
            "keytag": "12345"
          }
        ],
        "dns_keys": [
          {
            "protocol": "3",
            "algorithm": "8",
            "key_type": "ksk",
            "created_at": "2021-08-06T13:37:43Z",
            "updated_at": "2021-08-06T13:37:43Z",
            "id": "1234567",
            "type": "257",
            "pub_key": "ABCDEa1F2bcdeGfH3I4JK5nPljb6NuF9n/7WEll23g1Ggd/Y6SO1ZxswYX7FvPNH0n7t+7ADaPJUN8TMWeLjnAioTR30nVM/0SiSCKxgdZI0U3vXlmFiFaOv9/qX7ysOnQ5p2YNuzv1PFDz9aeS3dRQ94disj1sqqQAlv7S88yAY4kXS3SdyIkVo+/H/6SdGuj6tC4wqSH24NANnjhCQ8eZUebc="
          },
          {
            "protocol": "3",
            "algorithm": "8",
            "key_type": "zsk",
            "created_at": "2021-08-06T13:37:43Z",
            "updated_at": "2021-08-06T13:37:43Z",
            "id": "12345678",
            "type": "256",
            "pub_key": "ABCDEa1F2bcdeGfsPOo/uqCey11Fg0xkQvEwMKAtl1vZQWYD4b9mfojNzaiJGDF7pxsvPkdbgWfjUAORSfFBwOgdgZN9dw6xQEnowkWyZQ3woRJ+geif0PPYQbAswa59YuQOpzhHUVYLphO0K1EARtsKk3zE+6XfPHLabgrKZHQ314dX"
          }
        ]
      }
    },
    "target": {
      "domain": "sql1gtdev0009.com",
      "site_id": "29543384",
      "id": "",
      "account_id": "14260170"
    },
    "event": "website_dnssec_rotation_start"
  }
}

You need to rotate the DS and DNSKEY records (remove the old records and add the new records) at the domain registrar within 7 days, before the key rotation window closes. Failure to update the DS record at the registrar will result in downtime. DS records may be cached for 12 or more hours, depending on the TTL values set by domain registries.

When the window closes, a website_dnssec_rotation_complete event is sent. Once the key rotation window is closed, only the new DS record and two corresponding DNSKEY records are available.

Disabling DNSSEC

To disable DNSSEC:

Remove the DS record from the domain registrar.

Disable DNSSEC on SiteLock to remove the zone signing.

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <manageDomainDNS>
        <site_id>12</site_id>
        <action>update_domain</action>
        <dnssec_enabled>0</dnssec_enabled>
    </manageDomainDNS>
</SiteLockOnlineRequest>