Enable DNSSEC

Rachel B.
  • Updated
Follow

DNS Security Extensions (DNSSEC) add an extra layer of security to a domain's DNS records.

It works by digitally signing records for DNS lookups using public-key cryptography. In checking the associated signature, you can verify that the requested DNS records come from the authoritative nameserver and that they have not been altered en route, as opposed to a fake record injected via a man-in-the-middle attack.

DNSSEC is not available on our nameservers, and can only be enabled using a custom nameserver.  This means it is not available on our Shared, non-VPS Reseller, and WordPress plans without the use of a third-party nameserver.

Related Article

Add Custom Nameservers

Create Custom Nameservers

  1. Ensure that custom nameservers are setup
    CAUTION: DNSSEC cannot be used with our nameservers.  Custom nameservers are required to configure DNSSEC.
  2. If the domain is using InMotion Hosting Nameservers or vanity nameservers, they will need to be switched to custom nameservers
  3. If needed, change the nameserver software to PowerDNS

Enable DNSSEC in cPanel

  1. Log into WHM
  2. Navigate to List Accounts, located in the Account Information section
    WHMListAccountsMenu.png
  3. Locate the domain or cPanel to enable DNSSEC on
  4. Locate and select the package listed in the Package column
    WHMListAccountsPackageColumn.png
  5. Scroll down to the Feature List and click View next to the dropdown
    WHMEditPackageFeatureList.png
  6. Enable the feature Manage DNSSEC
  7. Save

Configure DNSSEC

  1. Log into cPanel
  2. Navigate to the Zone Editor, located in the Domains section
    cPanelZoneEditor.png
  3. Select DNSSEC next to the desired domain
    ZoneEditorDNSSEC.png
  4. Select +Create Key
    DNSSECCreateKey.png
  5. Select Customize
    TIP:     If the default options are desired, you can also choose Create to automatically create the key.
  6. Leave the Key Setup set to Classic
  7. Choose the algorithm supported by your registrar
    DNSSECAlgorithm.png
    TIP: If you're unsure, most registrars support RSA/SHA-256 (Algorithm 8).  If we are the domain registrar, we can support ECDSA Curve P-256 with SHA-256 (Algorithm 13).
  8. Select Create to see the information that needs to be supplied to the domain registrar
    NOTE:     The registrar will need the domain, key tag, algorithm type, digest type, and digest.
  9. If we are the domain registrar, open a ticket with Technical Support to enable DNSSEC on the domain
    IMPORTANT: We will require the Algorithm 1 Digest Type and Digest, as well as the Key Tag and Algorithm type.
    NOTE: DNS propagation can take between 4 and 24 hours.
  10. If we are not the domain registrar, reach out to the domain registrar with the necessary information

Related articles

Comments

0 comments

Article is closed for comments.