{"id":366,"date":"2021-07-23T12:28:34","date_gmt":"2021-07-23T12:28:34","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/dnssec\/"},"modified":"2021-07-23T12:28:34","modified_gmt":"2021-07-23T12:28:34","slug":"dnssec","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/dnssec\/","title":{"rendered":"DNSSEC"},"content":{"rendered":"<\/p>\n
\n
<\/div>\n
\n

Overview<\/h2>\n

In cPanel & WHM version 84, we introduced DNS Security Extensions (DNSSEC) support for PowerDNS nameservers. DNSSEC adds a layer of security to your domains\u2019 DNS records.<\/p>\n

A DNS resolver will compare the DNS server\u2019s DNSKEY record to the DS record at the registrar. If they match, then the DNS resolver knows that the record is valid.<\/p>\n

DNSSEC uses digital signatures and cryptographic keys to validate the DNS responses\u2019 authenticity. These digital signatures protect clients from various forms of attack, such as Spoofing or a Man-in-the-Middle attack.<\/p>\n

\n
Important:<\/div>\n
\n

To use DNSSEC on your server, you must<\/strong> use PowerDNS as the nameserver. For more information about how to install PowerDNS on your server, read our Nameserver Selection documentation.<\/p>\n<\/p><\/div>\n<\/div>\n

For more information about DNSSEC, read Wikipedia\u2019s Domain Name System Security Extensions article.<\/p>\n

Enable DNSSEC<\/h2>\n

To enable DNSSEC for cPanel users, select the Manage DNSSEC<\/em> feature in WHM\u2019s Feature Manager<\/em> interface (WHM >> Home >> Packages >> Feature Manager<\/em>).<\/p>\n

To list the domains with DNSSEC on a server, log in to the server as the root<\/code> user and run the following command:<\/p>\n

\n
pdnsutil list-<\/span>secure-<\/span>zones<\/code><\/pre>\n<\/div>\n
For more information, read our How to List Domains with DNSSEC documentation.<\/p>\n
Manage DNSSEC keys<\/h2>\n
cPanel users can create, manage, or delete their domains\u2019 DNSSEC keys in cPanel\u2019s Zone Editor<\/em> interface (cPanel >> Home >> Domains >> Zone Editor<\/em>).<\/p>\n
To validate the DNSSEC configuration for a domain, use Verisign\u2019s DNSSEC Anaylzer website.<\/p>\n
DNSSEC key rotation<\/h3>\n
\n
Note:<\/div>\n
\n
We recommend that you rotate your domain\u2019s DNSSEC keys yearly.<\/p>\n<\/p><\/div>\n<\/div>\n
You can rotate your domains\u2019 DNSSEC keys regularly to increase your DNS record\u2019s security.<\/p>\n
For more information about how to rotate a DNSSEC key, read our How to Rotate a DNSSEC Key documentation.<\/p>\n
To determine your domain\u2019s registrar, read our How to Identify Your Registrar documentation.<\/p>\n
Disable DNSSEC<\/h3>\n
To disable DNSSEC, remove the DS record from the registrar. Without a DNS record at the registrar, clients will not<\/strong> look up DNSSEC keys on the DNS server.<\/p>\n
DNSSEC in DNS clusters<\/h2>\n
\n
Warning:<\/div>\n
\n
All servers in the DNS cluster must<\/strong> run PowerDNS if domains that use DNSSEC exist in that cluster.<\/p>\n<\/p><\/div>\n<\/div>\n
cPanel & WHM supports DNSSEC in DNS clusters. PowerDNS servers with domains that have DNSSEC configured can exist in DNS clusters. You can enable DNS clustering in WHM\u2019s DNS Cluster<\/em> interface (WHM >> Home >> Clusters >> DNS Cluster<\/em>).<\/p>\n
If your DNSSEC keys don\u2019t synchronize, the system sends you a notification via the DNSSEC key sync failure<\/em> notification in WHM\u2019s Contact Manager<\/em> interface (WHM >> Home >> Server Contacts >> Contact Manager<\/em>). To sync or remove DNSSEC keys, run the\/usr\/local\/cpanel\/scripts\/dnssec-cluster-keys<\/code> script as the root<\/code> user.<\/p>\n
For more information about DNSSEC in a DNS cluster, read our Guide to DNS Cluster Configurations documentation.<\/p>\n
DNSSEC key backups<\/h2>\n
The system backs up DNSSEC key information in the \/dnssec_keys<\/code> directory. This directory contains a copy of all of the account\u2019s DNSSEC keys using the following naming conventions:<\/p>\n
\n
domainname\/<\/span>keytag_keytype.<\/span>key<\/code><\/pre>\n<\/div>\n
\n
Note:<\/div>\n
\n
In this example:<\/p>\n
    \n
  • \n
    domainname<\/code> represents the domain name.<\/p>\n<\/li>\n
  • \n
    keytag<\/code> represents the key\u2019s keytag.<\/p>\n<\/li>\n
  • \n
    keytype<\/code> represents the key\u2019s type.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n
    For more information about where cPanel & WHM stores DNSSEC key information in backups, read our Backup Tarball Contents documentation.<\/p>\n
    \n
    Note:<\/div>\n
    \n
      \n
    • \n
      The system may corrupt the DNSSEC database if it encounters an Out Of Memory (OOM) or disk full condition.<\/p>\n<\/li>\n
    • \n
      Systems Administrators can restore the database from the system backup files. If they do not back up system files, they will need to perform the following steps:<\/p>\n
        \n
      • \n
        Rebuild the PDNS.db file from scratch with the following commands:<\/p>\n
          \n
        • \n
          cPanel & WHM version 84 \u2014 pdnsutil create-bind-db \/etc\/pdns\/dnssec.db<\/code><\/p>\n<\/li>\n
        • \n
          cPanel & WHM version 86 and later \u2014 pdnsutil create-bind-db \/var\/cpanel\/pdns\/dnssec.db<\/code><\/p>\n<\/li>\n<\/ul>\n<\/li>\n
        • \n
          Regenerate the DNSSEC keys for each domain that lost keys.<\/p>\n<\/li>\n
        • \n
          Tell their users to register the new keys with their domain registrar.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul><\/div>\n<\/div>\n
          DNSSEC key restoration<\/h3>\n
          When you restore a backup that contains DNSSEC keys, the system will restore the DNSSEC keys to the appropriate domain.<\/p>\n
          DNSSEC key transfers<\/h2>\n
          The system transfers any DNSSEC key information from the backup file to the new server. If the destination server supports DNSSEC, the server will import and activate any DNSSEC keys in the backup. If the destination server does not support DNSSEC, that system will not<\/strong> restore any DNSSEC keys from the backup file.<\/p>\n
          To transfer an account with DNSSEC-enabled domains, perform the following steps for each domain:<\/p>\n
            \n
          1. \n
            Remove the Domain Server (DS) records from the registrar.<\/p>\n<\/li>\n
          2. \n
            Wait for the changes to propagate. This may take up to 72 hours.<\/p>\n<\/li>\n
          3. \n
            Perform the transfer.<\/p>\n<\/li>\n
          4. \n
            Manually update the registrar with the new DS records.<\/p>\n<\/li>\n<\/ol>\n
            If the server is part of a DNS cluster, the keys will synchronize to the DNS cluster during the transfer.<\/p>\n
            \n
            Warning:<\/div>\n
            \n        If you do not<\/strong> remove the old DS records from the registrar, the domains may produce DNS resolution issues due to invalid DNSSEC responses.\n    <\/div>\n<\/div>\n
            For more information about transferring DNSSEC keys, read our Zone Editor and Transfer Tool documentation.<\/p>\n
            API functions<\/h2>\n
            UAPI functions<\/h3>\n
            Developers can use the following DNSSEC-related UAPI functions to retrieve information or perform actions:<\/p>\n
              \n
            • \n
              DNSSEC::activate_zone_key<\/code> \u2014 This function activates a DNSSEC key.<\/p>\n<\/li>\n
            • \n
              DNSSEC::add_zone_key<\/code> \u2014 This function generates a DNSSEC key for a domain.<\/p>\n<\/li>\n
            • \n
              DNSSEC::deactivate_zone_key<\/code> \u2014 This function deactivates a DNSSEC key.<\/p>\n<\/li>\n
            • \n
              DNSSEC::disable_dnssec<\/code> \u2014 This function disables DNSSEC on the domain.<\/p>\n<\/li>\n
            • \n
              DNSSEC::enable_dnssec<\/code> \u2014 This function enables DNSSEC on the domain.<\/p>\n<\/li>\n
            • \n
              DNSSEC::export_zone_key<\/code> \u2014 This function exports a DNSSEC key.<\/p>\n<\/li>\n
            • \n
              DNSSEC::fetch_ds_records<\/code> \u2014 This function fetches a domain\u2019s Delegation of Signing (DS) records on a domain.<\/p>\n<\/li>\n
            • \n
              DNSSEC::import_zone_key<\/code> \u2014 This function imports a DNSSEC key.<\/p>\n<\/li>\n
            • \n
              DNSSEC::remove_zone_key<\/code> \u2014 This function removes a DNSSEC key.<\/p>\n<\/li>\n
            • \n
              DNSSEC::set_nsec3<\/code> \u2014 This function configures the domain to use Next Secure Record 3 (NSEC3) semantics.<\/p>\n<\/li>\n
            • \n
              DNSSEC::unset_nsec3<\/code> \u2014 This function configures the domain to use Next Secure Record (NSEC) semantics instead of Next Secure Record 3 (NSEC3) semantics.<\/p>\n<\/li>\n<\/ul>\n
              WHM API 1 functions<\/h3>\n
              In cPanel & WHM version 86, we introduced the following DNSSEC-related WHM API 1 functions. Developers can use these functions to retrieve information or perform actions:<\/p>\n
                \n
              • activate_zone_key<\/code> \u2014 This function activates a domain\u2019s DNSSEC security key.<\/li>\n
              • add_zone_key<\/code> \u2014 This function generates a DNSSEC zone key for a domain.<\/li>\n
              • deactivate_zone_key<\/code> \u2014 This function deactivates a domain\u2019s DNSSEC security key.<\/li>\n
              • disable_dnssec_for_domains<\/code> \u2014 This function disables DNSSEC on the domain.<\/li>\n
              • enable_dnssec_for_domains<\/code> \u2014 This function enables DNSSEC on the domain.<\/li>\n
              • export_zone_key<\/code> \u2014 This function exports a DNSSEC security key to a domain.<\/li>\n
              • fetch_ds_records_for_domains<\/code> \u2014 This function fetches a domain\u2019s Delegation of Signing (DS) record.<\/li>\n
              • import_zone_key<\/code> \u2014 This function imports a DNSSEC security key.<\/li>\n
              • remove_zone_key<\/code> \u2014 This function removes a DNSSEC security key.<\/li>\n
              • set_nsec3_for_domains<\/code> \u2014 This function configures the domain to use Next Secure Record 3 (NSEC3) semantics.<\/li>\n
              • unset_nsec3_for_domains<\/code> \u2014 This function configures the domain to use Next Secure Record (NSEC) semantics instead of Next Secure Record 3 (NSEC3) semantics.<\/li>\n<\/ul><\/div>\n","protected":false},"excerpt":{"rendered":"
                Overview In cPanel & WHM version 84, we introduced DNS Security Extensions (DNSSEC) support for PowerDNS nameservers. DNSSEC adds a layer of security to your domains\u2019 DNS records. A DNS resolver will compare the DNS server\u2019s DNSKEY record to the DS record at the registrar. If they match, then the DNS resolver knows that the …<\/p>\n","protected":false},"author":1,"featured_media":367,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/366"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=366"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/366\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/367"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}