Create a DNSSEC record for your domain in cPanel

Domain Name System Security Extensions (DNSSEC) adds a layer of security to the old DNS system. There are two steps for using it: 1. creating the DNSSEC record on your cPanel account. 2. letting your domain registrar know that you want to use DNSSEC.

Create a DNNSEC record in cPanel

  1. Connect to cPanel account
  2. Look for DOMAINS section, select Zone Editor
  3. Click DNSSEC link for your domain
  4. Click the Status field to enable DNSSEC. In few seconds, a new key will be created for your domain. 
  5. That’s everything on the cPanel side.

Movie on how to generate the DNSSEC key in cPanel:

Registrar configuration

This step depends on your registrar. Anyway, you will need all the key details from cPanel: Key Tag, Algorithm(8 RSA/SHA-256 0 bits), Digest Type(1 SHA-1, 2 SHA-256 or 4 SHA-384) and Digest. You can check the tutorials from Namecheap and GoDaddy.

For other registrars, please contact their support team.


Wikipedia DNSSEC page

How to list domains with DNSSEC

This tutorial applies to a cPanel server with PowerDNS installed

To list the domains on your server that are configured with DNSSEC (Domain Name System Security Extensions) you need to login as root and execute the following command:

pdnssec list-secure-zones

The result will be something like:
root@web [~]# pdnssec list-secure-zones
Mar 08 15:52:08 [bindbackend] Done parsing domains, 0 rejected, 12 new, 0 removed
All secure zonecount:1
root@web [~]#, etc are the domains that uses DNSSEC.
You can go ahead and list the key details for a domain with DNSSEC. Just use the command:
pdnssec show-zone
For example, for our domain, the info is:

root@web [~]# pdnssec show-zone
Mar 08 13:04:11 [bindbackend] Done parsing domains, 0 rejected, 463 new, 0 removed
Zone is not presigned
Zone has NARROW hashed NSEC3 semantics, configuration: 1 0 7 78326f1db1405ff2
ID = 3 (KSK), tag = 57434, algo = 8, bits = 2048        Active: 1 ( RSASHA256 )
KSK DNSKEY = IN DNSKEY 257 3 8 AwEAAaZVe21ROtKfWtzQrB2tPd4kP0+cautYOsgbWtPkHy6l0WBDcXQFRennP/uJIDsbfdDkjP1l4SrdpOM5NI01CtE6QTvHDA32L4Z8L9N5qmQ+YkAe+Vk09tNQVKYMfiN/sMA4xQIHQ8KAvky4jMn+fr2k6WvE/QyQPtjYAEoXt1uOiGCSFE7njCx9maikt/WT5YrZEQ5ncJjzzPU3IGdznlJc2sDV+NXbDHVqjH0Bd0GlIp7l/2Io5sAcnlusvi2u5Dawa1aLidfNyLIlmEmzqy98djDFD8vu627E9zmZ74M0YCBbfD6oRpmmXj1SRkc+GhIFN2HvqnkJyf/k1gvG2ms= ; ( RSASHA256 )
DS = IN DS 57434 8 1 49708717a42d565c741fe3d6ece70d648c8a6d7b ; ( SHA1 digest )
DS = IN DS 57434 8 2 c255d52f2386a15b8e3181a6596b47d0b96911bf044c55e6df6c3387294b3150 ; ( SHA256 digest )
DS = IN DS 57434 8 4 716c0d1c8b33bd01e8beb218924abf62e7ac531c056e073ad2dec2720bc4e57a693f18af75a410484ca1438208c0390e ; ( SHA-384 digest )

ID = 4 (ZSK), tag = 1318, algo = 8, bits = 1024 Active: 1 ( RSASHA256 )
root@web [~]#