Add notes and links to new page and fill in API steps

RebeccaTamachiro · RebeccaTamachiro · commit b5abf0925724 · 2025-02-10T15:39:17.000Z
diff --git a/src/content/docs/dns/dnssec/enable-nsec3.mdx b/src/content/docs/dns/dnssec/enable-nsec3.mdx
@@ -6,8 +6,21 @@ sidebar:
   order: 6
 ---
 
-As explained in [our blog](https://blog.cloudflare.com/black-lies/), Cloudflare's implementation of negative answers with NSEC is protected against zone walking[^1]. This removes the need for NSEC3.
+As explained in [our blog](https://blog.cloudflare.com/black-lies/), Cloudflare's implementation of negative answers with NSEC is protected against zone walking[^1]. This implementation removes the need for NSEC3.
 
 However, if you must use NSEC3 for compliance reasons, you can enable it as explained below.
 
+Use the [Edit DNSSEC Status endpoint](/api/resources/dns/subresources/dnssec/methods/edit/), setting `status` to `active` and `dnssec_use_nsec3` to `true`. You should replace the values started by `$` with your zone ID and API token. To learn more about using the Cloudflare API, refer to [Fundamentals](/fundamentals/api/get-started/).
+
+```bash
+curl --request PATCH \
+https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--header "Content-Type: application/json" \
+--data '{
+"dnssec_use_nsec3": true,
+"status": "active"
+}'
+```
+
 [^1]: A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the last and next names in a chain.
diff --git a/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary.mdx b/src/content/docs/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary.mdx
@@ -55,6 +55,10 @@ https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec \
 }'
 ```
 
+:::note[NSEC or NSEC3]
+By default, Cloudflare uses a [safe NSEC implementation](/dns/dnssec/enable-nsec3/) for authenticated denial of existence ([RFC 7129](https://www.rfc-editor.org/rfc/rfc7129.html)). If you are an Enterprise customer and must use NSEC3 for compliance reasons, also set `dnssec_use_nsec3` to `true` when making the API call.
+:::
+
 2. Use the [DNSSEC Details endpoint](/api/resources/dns/subresources/dnssec/methods/get/) to get the necessary values to create a **DS** record at your registrar.
 
 3. <Render file="dnssec-registrar-steps" />
@@ -69,7 +73,7 @@ https://api.cloudflare.com/client/v4/zones/{zone_id}/dnssec \
 
 - Your secondary zone in Cloudflare already exists and zone transfers from your primary DNS provider are working correctly.
 - Your primary DNS provider transfers out DNSSEC related records, such as RRSIG, DNSKEY, and NSEC.
-- [Authenticated denial of existence (RFC 7129)](https://www.rfc-editor.org/rfc/rfc7129.html): If your primary DNS provider uses NSEC3 (instead of NSEC), you must manually [enable NSEC3 support](#) via API.
+- [Authenticated denial of existence (RFC 7129)](https://www.rfc-editor.org/rfc/rfc7129.html): If your primary DNS provider uses NSEC3 (instead of NSEC), you must manually [enable NSEC3 support](/dns/dnssec/enable-nsec3/) on Cloudflare via API.
 
 
 ### Steps
