DNSSEC in Atomia DNS works with a single set of keys for all zones. Activating/deactivating DNSSEC for a domain is done through domainreg by publishing or clearing DS.

In domainreg plugin for particular TLD,  you only need to make sure that the plugin handles the DomainSetDS and DomainClearDS methods is to be enabled or disabled by default. Enabling/disabling is done through DomainDNSSECEnable and DomainDNSSECDisable, which is also one way to test through domainreg_client.

To have working DNSSEC setup where it is enabled by default you do:

1. Make sure Atomia DNS is setup to have DNSSEC, i.e. use powerdns and follow the setup instructions at http://atomia.github.io/atomiadns/usage.html#usage-master-installation-dnssec

2.  Set hosted_dnssec_delegation_filter in domainreg.conf to match all nameservers used for delegations where hosted DNSSEC should be enabled (i.e. the nameservers used for domains in the env). It is set like:

hosted_dnssec_delegation_filter ns1.somenameserver.com

hosted_dnssec_delegation_filter ns2.somenameserver.com

3. Tell domainreg how to connect to Atomia DNS by setting in domainreg.conf:

atomiadns_soap_uri, atomiadns_soap_username and atomiadns_soap_password

4. Tell domainreg which KSK is currently active, only one KSK should be created initially if you followed the guide at atomiadns.net when setting up DNSSEC:

domainreg_client --method DNSSECGetAvailableKSKs

domainreg_client --method DNSSECSetKSKUsedForDS --arg keytag_from_active_KSK

5. Transform provisioning description to have HostedDNSSEC defaultValue be true. (C:\Program Files (x86)\Atomia\AutomationServer\Common\ProvisioningDescriptions\ProvisioningDescription..xml).

6. In addition, there are HCP configuration options for the domain manager that determine which TLDs to show the DNSSEC tab on. For Hosted DNSSEC (i.e. domains matching the delegation filter) the tab gives you enable/disable. For domains with external delegations the tab gives you a way to just publish DS records for external DNSKEYs on external nameservers.