---
title: "DNSSEC in cPanel Managed Servers for Better Security"
description: "cPanel now supports DNS security extensions (DNSSEC) with PowerDNS. DNSSEC signs the DNS path for authentication to protect visitors from DNS spoofing and other man-in-the-middle (MITM) attacks. It's..."
url: https://www.inmotionhosting.com/support/product-guides/vps-hosting/dnssec-managed-vps-dedicated/
date: 2019-12-09
modified: 2024-11-14
author: "InMotion Hosting Contributor"
categories: ["VPS Hosting"]
type: post
lang: en
---

# DNSSEC in cPanel Managed Servers for Better Security

![DNSSEC in cPanel Server](https://www.inmotionhosting.com/support/wp-content/uploads/2019/12/canva-dnssec-cpanel-1024x538.jpg)

cPanel now supports DNS security extensions (DNSSEC) with PowerDNS. DNSSEC signs the DNS path for authentication to protect visitors from DNS spoofing and other man-in-the-middle (MITM) attacks. It’s worth the time to configure if your top-level domain (TLD), domain registrar, and web server support DS records. You can check to see if your TLD supports DNSSEC from your registrar or online sources such as [DNSsecReady.net](https://dnssecready.net).

InMotion Hosting supports DNSSEC on [cPanel-Managed VPS Hosting](https://www.inmotionhosting.com/managed-vps-hosting?utm_source=supportcenter&utm_medium=link&utm_campaign=supportcenter) and dedicated hosting plans using the PowerDNS software. Below we cover how to enable DNSSEC on cPanel servers using WebHost Manager (WHM), cPanel, and Account Management Panel (AMP).

[Users on Shared Hosting plans can enable DNSSEC with Cloudflare.](https://www.inmotionhosting.com/support/edu/cpanel/enable-dnssec-cloudflare/)

- [Create Custom Nameservers](#nameservers)
  - [Install PowerDNS](#software)
- [Create DS Record in cPanel](#ds)
  - [Update and Check DNS Records](#update)

Create a snapshot in AMP before continuing in case anything goes wrong.

## Create Custom Nameservers

You’ll need to create custom, authoritative, nameservers for your domain first.

1. [Log into WHM](https://www.inmotionhosting.com/support/edu/whm/log-into-whm/#whm-root-access) as root.
2. Check if you have a free IP address from the **Show IP Address Usage** tool. You should have a row with only an IP address.If you need a free dedicated IP, request one via AMP stating you wish to enable DNSSEC.
3. [Create custom nameservers](https://www.inmotionhosting.com/support/amp/how-to-add-custom-name-servers-in-amp/) using a free dedicated IP.
4. In AMP, change your domain nameservers in the Point your domain section as well as the custom nameservers.
5. When adding the custom nameservers in WHM, click **Configure Address Records**, type the new IP in the pop-up screen, and click **Configure Address Records**. After you add the custom nameservers in WHM, you should be prompted with “*This system has # free IP*.”You’ll need to request a new IP address if you get an error stating *This system has no free IPs*.

### Install PowerDNS

Contact our 24/7 Live Support before continuing if you’re concerned about anything on your server not working with PowerDNS or without DNS clustering.

1. Log in to WHM as root.
2. On the left, select **Nameserver Selection**.
3. Select **PowerDNS** and **Save**.
4. On the left, select **DNS Cluster**.
5. Click **Disable DNS clustering**.
6. (Optional) On the left, select Tweak Settings. Enable **cPanel & WHM API Shell (for developers)**. Then on the left, select **API Shell** and type *installed_versions* beside v1. Click **Submit** and search for “powerdns” to ensure it’s installed.

## Create DS Record in cPanel

[![cPanel DNSSEC options](https://www.inmotionhosting.com/support/wp-content/uploads/2020/08/cpanel-dnssec-708x1024.png)](https://www.inmotionhosting.com/support/wp-content/uploads/2020/08/cpanel-dnssec.png)

1. [Log into the cPanel account that needs DNSSEC](https://www.inmotionhosting.com/support/product-guides/vps-hosting/list-accounts/).
2. Click **Zone Editor**.
3. Click **DNSSEC** beside the domain.
4. Click **CREATE KEY**.
5. Click **CUSTOMIZE**.
6. Select **ECDSA Curve P-256 with SHA-256 (algorithm 13)** or **ECDSA Curve P-384 with SHA-384 (Algorithm 14)**. These are the strongest cryptographic algorithms supported by OpenSRS for DNSSEC-eligible TLDs. Leave *Key Setup* as *Classic* and *Status* as *Active*.Remember this guide is tailored to InMotion Hosting customers with a domain registered through OpenSRS. If you’re using another domain registrar, you need to ask them if they support DNSSEC and, if so, what cryptographic algorithms they support.
7. Click **CREATE**.
8. Click **GO BACK**.
9. Click **VIEW DS RECORDS** to see the digests available – *SHA-1, SHA-256, and SHA-384* – for your domain, key tag, and algorithm.

### Update and Check DNS Records

After creating the DS record, you’ll need to contact our Live Support (or your domain registrar) with the Key Tag, Algorithm Type, and strongest supported Digest Type with Digest.

We recommend using the SHA-256 (Algorithm 2) or SHA-384 (Algorithm 4) digest type and digest.

Inputting DNSSEC records incorrectly may cause website downtime.

DNSSEC verification should complete within 10 minutes, but it may take up to 2 hours. There are a few ways to ensure DNSSEC is working properly:

• Check your domain DNS key at DNSViz.net. You should only see **Secure** on the left.
• Check DNSSEC-Analyzer.VeriSignLabs.com. You should see all checks.
• Verify DNSSEC in a command-line interface (CLI) with the dig command: `dig +dnssec @your-domain.com ANY your-domain.com`

Do you want DNSSEC with BIND? Upvote related threads in Features.cPanel.net to let them know. Any other questions about DNSSEC? Let us know below.

Learn more about DNS management from our Managed VPS Hosting Product Guide.
