DNSSEC

This element (ia-generated) isn't supported, or may require an update to be displayed. You can try to refresh the app.

Overview

We introduced DNS Security Extensions (DNSSEC) support for PowerDNS  nameservers . DNSSEC adds a layer of security to your domains’ DNS records.
A DNS resolver will compare the DNS server’s DNSKEY record to the DS record at the registrar. If they match, then the DNS resolver knows that the record is valid.
DNSSEC uses digital signatures and cryptographic keys to validate the DNS responses’ authenticity. These digital signatures protect clients from various forms of attack, such as spoofing or a man-in-the-middle attack.
Important:
To use DNSSEC on your server, you must use PowerDNS as the nameserver. For more information about how to install PowerDNS on your server, read our  Nameserver Selection  documentation.
For more information about DNSSEC, read Wikipedia’s  Domain Name System Security Extensions  article.

Enable DNSSEC

To enable DNSSEC for cPanel users, select the Manage DNSSEC feature in WHM’s  Feature Manager  interface (WHM » Home » Packages » Feature Manager).
To list the domains with DNSSEC on a server, log in to the server as the root user and run the following command:
pdnsutil list-secure-zones
For more information, read our  How to List Domains with DNSSEC  documentation.

Manage DNSSEC keys

cPanel users can create, manage, or delete their domains’ DNSSEC keys in cPanel’s  Zone Editor  interface (cPanel » Home » Domains » Zone Editor).
To validate the DNSSEC configuration for a domain, use Verisign’s  DNSSEC Analyzer  website.

DNSSEC key rotation

Note:
We recommend that you rotate your domain’s DNSSEC keys yearly.
You can rotate your domains’ DNSSEC keys regularly to increase your DNS record’s security.
For more information about how to rotate a DNSSEC key, read our  How to Rotate a DNSSEC Key  documentation.
To determine your domain’s registrar, read our  How to Identify Your Registrar  documentation.

Disable DNSSEC

To disable DNSSEC, remove the DS record from the registrar. Without a DNS record at the registrar, clients will not look up DNSSEC keys on the DNS server.

DNSSEC in DNS clusters

Warning:
All servers in the DNS cluster must run PowerDNS if domains that use DNSSEC exist in that cluster.
cPanel & WHM supports DNSSEC in DNS clusters. PowerDNS servers with domains that have DNSSEC configured can exist in DNS clusters. You can enable DNS clustering in WHM’s  DNS Cluster  interface (WHM » Home » Clusters » DNS Cluster).
If your DNSSEC keys don’t synchronize, the system sends you a notification via the DNSSEC key sync failure notification in WHM’s  Contact Manager  interface (WHM » Home » Server Contacts » Contact Manager). To sync or remove DNSSEC keys, run  the /usr/local/cpanel/scripts/dnssec-cluster-keys script  as the root user.
For more information about DNSSEC in a DNS cluster, read our  Guide to DNS Cluster Configurations  documentation.

DNSSEC key backups

The system backs up DNSSEC key information in the /dnssec_keys directory. This directory contains a copy of all of the account’s DNSSEC keys using the following naming conventions:
domainname/keytag_keytype.key
Note:
In this example:
domainname represents the domain name.
keytag represents the key’s keytag.
keytype represents the key’s type.
For more information about where cPanel & WHM stores DNSSEC key information in backups, read our  Backup Tarball Contents  documentation.
Note:
The system may corrupt the DNSSEC database if it encounters an Out Of Memory (OOM) or disk full condition.
Systems Administrators can restore the database from the system backup files. If they do not back up system files, they will need to perform the following steps:
Rebuild the PDNS.db file from scratch with the following commands:
pdnsutil create-bind-db /var/cpanel/pdns/dnssec.db
Regenerate the DNSSEC keys for each domain that lost keys.
Tell their users to register the new keys with their domain registrar.

DNSSEC key restoration

When you restore a backup that contains DNSSEC keys, the system will restore the DNSSEC keys to the appropriate domain.

DNSSEC key transfers

The system transfers any DNSSEC key information from the backup file to the new server. If the destination server supports DNSSEC, the server will import and activate any DNSSEC keys in the backup. If the destination server does not support DNSSEC, that system will not restore any DNSSEC keys from the backup file.
To transfer an account with DNSSEC-enabled domains, use WHM’s  Transfer Tool  interface (WHM » Home » Transfers » Transfer Tool). If the server is part of a DNS cluster, the keys will synchronize to the DNS cluster during the transfer.
For more information about transferring DNSSEC keys, read our  Zone Editor  documentation.

API functions

UAPI functions

Developers can use the following DNSSEC-related UAPI functions to retrieve information or perform actions:
  •  DNSSEC::activate_zone_key  — This function activates a DNSSEC key.
  •  DNSSEC::add_zone_key  — This function generates a DNSSEC key for a domain.
  •  DNSSEC::deactivate_zone_key  — This function deactivates a DNSSEC key.
  •  DNSSEC::disable_dnssec  — This function disables DNSSEC on the domain.
  •  DNSSEC::enable_dnssec  — This function enables DNSSEC on the domain.
  •  DNSSEC::export_zone_key  — This function exports a DNSSEC key.
  •  DNSSEC::fetch_ds_records  — This function fetches a domain’s Delegation of Signing (DS) records on a domain.
  •  DNSSEC::import_zone_key  — This function imports a DNSSEC key.
  •  DNSSEC::remove_zone_key  — This function removes a DNSSEC key.
  •  DNSSEC::set_nsec3  — This function configures the domain to use  Next Secure Record 3  (NSEC3) semantics.
  •  DNSSEC::unset_nsec3  — This function configures the domain to use  Next Secure Record  (NSEC) semantics instead of  Next Secure Record 3  (NSEC3) semantics.

WHM API 1 functions

Developers can use these functions to retrieve information or perform actions:
  •  activate_zone_key  — This function activates a domain’s DNSSEC security key.
  •  add_zone_key  — This function generates a DNSSEC zone key for a domain.
  •  deactivate_zone_key  — This function deactivates a domain’s DNSSEC security key.
  •  disable_dnssec_for_domains  — This function disables DNSSEC on the domain.
  •  enable_dnssec_for_domains  — This function enables DNSSEC on the domain.
  •  export_zone_key  — This function exports a DNSSEC security key to a domain.
  •  fetch_ds_records_for_domains  — This function fetches a domain’s Delegation of Signing (DS) record.
  •  import_zone_key  — This function imports a DNSSEC security key.
  •  remove_zone_key  — This function removes a DNSSEC security key.
  •  set_nsec3_for_domains  — This function configures the domain to use  Next Secure Record 3  (NSEC3) semantics.
  •  unset_nsec3_for_domains  — This function configures the domain to use  Next Secure Record  (NSEC) semantics instead of  Next Secure Record 3  (NSEC3) semantics.