How to Enable DNSSEC in cPanel

    Overview

    DNSSEC (DNS Security Extensions) adds a layer of cryptographic protection to your domain's DNS records. It uses digital signatures and cryptographic keys to validate the authenticity of DNS responses, helping protect visitors from DNS spoofing and cache poisoning attacks.

    When DNSSEC is enabled, the DNS server's DNSKEY record is compared against the DS (Delegation Signer) record stored at the domain registrar. If the signatures match, the response is verified as legitimate.

    Requirements

    • Your server must use PowerDNS as the nameserver. DNSSEC is not available with BIND or other nameservers in cPanel.
    • You need WHM (root) access to enable the feature for cPanel accounts.
    • Your domain registrar must support DS record management.
    Tip: For additional DNS security, also consider configuring SPF, DKIM, and DMARC records for your domains.

    Step 1 — Enable the DNSSEC Feature in WHM

    Before cPanel users can manage DNSSEC keys, the server administrator must enable the feature:

    1. Log in to WHM.
    2. Navigate to Home » Packages » Feature Manager.
    3. Select or create the feature list assigned to the cPanel account.
    4. Check the Manage DNSSEC option and save.

    To verify which domains already have DNSSEC active, run:

    pdnsutil list-secure-zones

    Step 2 — Create DNSSEC Keys in cPanel

    Once the feature is enabled, the cPanel user can manage DNSSEC keys:

    1. Log in to cPanel.
    2. Go to Home » Domains » Zone Editor.
    3. Click DNSSEC next to the desired domain.
    4. Click Create Key to generate a new DNSSEC key pair.

    After the key is created, cPanel will display the DS record information that must be added at your domain registrar.

    Step 3 — Add the DS Record at Your Registrar

    Copy the DS record details provided by cPanel and add them at your domain registrar:

    • Key Tag
    • Algorithm
    • Digest Type
    • Digest

    The exact steps vary by registrar. Refer to your registrar's documentation for instructions on adding DS records.

    Validating Your Configuration

    After adding the DS record at your registrar, you can validate the DNSSEC setup using Verisign's DNSSEC Analyzer. Enter your domain name to check that the chain of trust is correctly established.

    Key Rotation

    It is recommended to rotate your DNSSEC keys at least once per year to maintain security. The rotation process involves:

    1. Creating a new key in cPanel's Zone Editor.
    2. Adding the new DS record at your registrar.
    3. Waiting for propagation (typically 24–48 hours).
    4. Removing the old DS record from the registrar.
    5. Deleting the old key in cPanel.

    Important: Never delete the old DS record before the new one has fully propagated, as this could cause DNSSEC validation failures.

    Disabling DNSSEC

    To disable DNSSEC for a domain:

    1. First, remove the DS record from your domain registrar.
    2. Then, delete the DNSSEC keys in cPanel's Zone Editor.

    Warning: Always remove the DS record at the registrar before deleting the keys on the server. If the registrar still has a DS record but the server no longer has matching keys, DNS resolution will fail for DNSSEC-validating resolvers.

    DNS Cluster Considerations

    If your server is part of a DNS cluster, all servers in the cluster must run PowerDNS when DNSSEC-enabled domains are present. cPanel will notify administrators of synchronization failures through WHM's Contact Manager.

    Backup & Restoration

    cPanel automatically backs up DNSSEC keys in the /dnssec_keys directory using the naming format:

    domainname/keytag_keytype.key

    During account transfers or full restores, DNSSEC keys are transferred automatically if the destination server supports DNSSEC (i.e., uses PowerDNS).

    Published