Archives

Create a DNSSEC record for your domain in cPanel

Domain Name System Security Extensions (DNSSEC) adds a layer of security to the old DNS system. There are two steps for using it: 1. creating the DNSSEC record on your cPanel account. 2. letting your domain registrar know that you want to use DNSSEC.

Create a DNNSEC record in cPanel

  1. Connect to cPanel account
  2. Look for DOMAINS section, select Zone Editor
  3. Click DNSSEC link for your domain
  4. Click the Status field to enable DNSSEC. In few seconds, a new key will be created for your domain. 
  5. That’s everything on the cPanel side.
cPanel DNSSEC
cPanel DNSSEC

Movie on how to generate the DNSSEC key in cPanel:

Registrar configuration

This step depends on your registrar. Anyway, you will need all the key details from cPanel: Key Tag, Algorithm(8 RSA/SHA-256 0 bits), Digest Type(1 SHA-1, 2 SHA-256 or 4 SHA-384) and Digest. You can check the tutorials from Namecheap and GoDaddy.

For other registrars, please contact their support team.

Resources:

Wikipedia DNSSEC page

Share this post:

How to list domains with DNSSEC

This tutorial applies to a cPanel server with PowerDNS installed

To list the domains on your server that are configured with DNSSEC (Domain Name System Security Extensions) you need to login as root and execute the following command:

pdnssec list-secure-zones

The result will be something like:
root@web [~]# pdnssec list-secure-zones
Mar 08 15:52:08 [bindbackend] Done parsing domains, 0 rejected, 12 new, 0 removed
yourdomain1.com
yourdomain2.com
All secure zonecount:1
root@web [~]#

yourdomain1.com, yourdomain2.com etc are the domains that uses DNSSEC.
You can go ahead and list the key details for a domain with DNSSEC. Just use the command:
pdnssec show-zone yourdomain1.com
For example, for our domain demo.plothost.com, the info is:

root@web [~]# pdnssec show-zone demo.plothost.com
Mar 08 13:04:11 [bindbackend] Done parsing domains, 0 rejected, 463 new, 0 removed
Zone is not presigned
Zone has NARROW hashed NSEC3 semantics, configuration: 1 0 7 78326f1db1405ff2
keys:
ID = 3 (KSK), tag = 57434, algo = 8, bits = 2048        Active: 1 ( RSASHA256 )
KSK DNSKEY = demo.plothost.com IN DNSKEY 257 3 8 AwEAAaZVe21ROtKfWtzQrB2tPd4kP0+cautYOsgbWtPkHy6l0WBDcXQFRennP/uJIDsbfdDkjP1l4SrdpOM5NI01CtE6QTvHDA32L4Z8L9N5qmQ+YkAe+Vk09tNQVKYMfiN/sMA4xQIHQ8KAvky4jMn+fr2k6WvE/QyQPtjYAEoXt1uOiGCSFE7njCx9maikt/WT5YrZEQ5ncJjzzPU3IGdznlJc2sDV+NXbDHVqjH0Bd0GlIp7l/2Io5sAcnlusvi2u5Dawa1aLidfNyLIlmEmzqy98djDFD8vu627E9zmZ74M0YCBbfD6oRpmmXj1SRkc+GhIFN2HvqnkJyf/k1gvG2ms= ; ( RSASHA256 )
DS = demo.plothost.com IN DS 57434 8 1 49708717a42d565c741fe3d6ece70d648c8a6d7b ; ( SHA1 digest )
DS = demo.plothost.com IN DS 57434 8 2 c255d52f2386a15b8e3181a6596b47d0b96911bf044c55e6df6c3387294b3150 ; ( SHA256 digest )
DS = demo.plothost.com IN DS 57434 8 4 716c0d1c8b33bd01e8beb218924abf62e7ac531c056e073ad2dec2720bc4e57a693f18af75a410484ca1438208c0390e ; ( SHA-384 digest )

ID = 4 (ZSK), tag = 1318, algo = 8, bits = 1024 Active: 1 ( RSASHA256 )
root@web [~]#

 

Share this post: