Platform
ScaiWave ScaiGrid ScaiCore ScaiBot ScaiDrive ScaiKey Models Tools & Services
Solutions
Organisations Developers Internet Service Providers Managed Service Providers AI-in-a-Box
Resources
Support Documentation Blog Downloads
Company
About Research Careers Investment Opportunities Contact
Log in

Your First Zone

A complete walk-through from zero to a signed, production-ready zone. Takes about 20 minutes of API calls, plus waiting for DNS propagation.

This guide assumes:

  • You have a ScaiDNS API key (see Authentication).
  • You control the domain you want to manage (registered at your registrar).
  • Access to your registrar's admin panel to change NS delegation and publish DS records.

Throughout, we'll use example.com as the placeholder domain and $SCAIDNS_API_KEY for the key.

1. Create the zone#

bash
1
2
3
4
curl -X POST https://scaidns.scailabs.ai/api/v1/domains/ \
  -H "X-API-Key: $SCAIDNS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "example.com", "domain_type": "primary", "default_ttl": 3600}'

Capture the id from the response — you'll reference it as $DOMAIN_ID below.

Status: pending_validation. Records you add now are stored but not served until validation completes.

2. Prove ownership#

Fetch the validation challenge:

bash
1
2
curl https://scaidns.scailabs.ai/api/v1/domains/$DOMAIN_ID/validation \
  -H "X-API-Key: $SCAIDNS_API_KEY"

You get a TXT record to publish at your current DNS provider:

json
1
2
3
4
5
6
7
8
{
  "validation_type": "txt_record",
  "dns_record": {
    "name": "_scaidns-verify.example.com",
    "type": "TXT",
    "value": "scaidns-verify=9z1k8h..."
  }
}

Add that TXT record at your current provider. Wait for propagation — you can check with dig:

bash
1
dig +short TXT _scaidns-verify.example.com

When you see the value, tell ScaiDNS to verify:

bash
1
2
curl -X POST https://scaidns.scailabs.ai/api/v1/domains/$DOMAIN_ID/validation/check \
  -H "X-API-Key: $SCAIDNS_API_KEY"

Response: {"is_valid": true, ...}. The domain's status is now active.

3. Create records#

A minimal set for a hosted web app:

python
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
import os, httpx

BASE = "https://scaidns.scailabs.ai/api/v1"
HEADERS = {"X-API-Key": os.environ["SCAIDNS_API_KEY"]}
DOMAIN_ID = os.environ["DOMAIN_ID"]

records = [
    {"name": "@",   "type": "A",    "content": "192.0.2.10", "ttl": 300},
    {"name": "www", "type": "CNAME", "content": "example.com.", "ttl": 300},
    {"name": "@",   "type": "MX",    "content": "10 mail.example.com.", "ttl": 3600},
    {"name": "@",   "type": "TXT",   "content": "v=spf1 mx -all", "ttl": 3600},
]

resp = httpx.post(
    f"{BASE}/domains/{DOMAIN_ID}/records/bulk",
    headers=HEADERS,
    json={"records": records, "continue_on_error": False},
)
resp.raise_for_status()
print(resp.json())

@ represents the zone apex. Subdomain names are relative to the zone — www becomes www.example.com.

Bulk create is atomic by default: all succeed or nothing changes.

4. Delegate at the registrar#

In your registrar's admin panel, change the domain's NS records to point at the ScaiDNS nameservers. Ask your ScaiDNS operator which NS hostnames to use — they vary by deployment.

After delegation, verify with dig:

bash
1
dig NS example.com

The answer section should show the ScaiDNS nameservers. Resolvers may serve the old NS records until the TTL expires.

5. Enable DNSSEC#

With records in place and delegation live, enable DNSSEC:

bash
1
2
3
4
curl -X POST https://scaidns.scailabs.ai/api/v1/domains/$DOMAIN_ID/dnssec/enable \
  -H "X-API-Key: $SCAIDNS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"algorithm": 13}'

Algorithm 13 is ECDSA P-256 (RFC 6605) — the current recommended default. ScaiDNS generates a KSK and ZSK, signs the zone, and returns the DS records you need to publish at the registrar:

json
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
{
  "enabled": true,
  "ds_records": [
    {
      "key_tag": 12345,
      "algorithm": 13,
      "digest_type": 2,
      "digest": "A1B2C3..."
    }
  ]
}

Publish those DS records at your registrar's DS management page. Once the registrar reflects them in the .com (or your TLD's) zone, notify ScaiDNS:

bash
1
2
3
4
curl -X POST https://scaidns.scailabs.ai/api/v1/domains/$DOMAIN_ID/dnssec/confirm-ds-published \
  -H "X-API-Key: $SCAIDNS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"ds_records": [{"key_tag": 12345, "algorithm": 13, "digest_type": 2, "digest": "A1B2C3..."}]}'

Verify the chain resolves:

bash
1
dig +dnssec example.com

The ad flag in the header indicates a successful DNSSEC-validated response.

6. Verify everything#

bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# Zone is active
curl https://scaidns.scailabs.ai/api/v1/domains/$DOMAIN_ID \
  -H "X-API-Key: $SCAIDNS_API_KEY"

# Records present
curl https://scaidns.scailabs.ai/api/v1/domains/$DOMAIN_ID/records \
  -H "X-API-Key: $SCAIDNS_API_KEY"

# DNSSEC status
curl https://scaidns.scailabs.ai/api/v1/domains/$DOMAIN_ID/dnssec \
  -H "X-API-Key: $SCAIDNS_API_KEY"

# Live query
dig +dnssec +short www.example.com

You now have a zone that's:

  • Under ScaiDNS management with full audit trail.
  • DNSSEC-signed with a published chain of trust.
  • Scoped to your tenant's access controls.

What's next#

Updated 2026-05-17 02:38:20 View source (.md) rev 1