cPanel now supports DNS security extensions (DNSSEC) with PowerDNS. DNSSEC signs the DNS path for authentication to protect visitors from DNS spoofing and other man-in-the-middle (MITM) attacks. It’s worth the time to configure if your top-level domain (TLD), domain registrar, and web server support DS records.
InMotion Hosting supports DNSSEC on cPanel-managed VPS and dedicated hosting plans using the PowerDNS software. Below we cover how to enable DNSSEC on cPanel servers using WebHost Manager (WHM), cPanel, and Account Management Panel (AMP).
Create a snapshot in AMP before continuing in case anything goes wrong.
Create Custom Nameservers
You’ll need to create custom, authoritative, nameservers for your domain first.
- Log into WHM as root.
- Check if you have a free IP address. You should have a row with only an IP address.
If you need a free dedicated IP, request one via AMP stating you wish to enable DNSSEC.
- Create custom nameservers using a free dedicated IP.
- In AMP, change your domain nameservers in the Point your domain section as well as the custom nameservers.
- When adding the custom nameservers in WHM, click Configure Address Records, type the new IP in the pop-up screen, and click Configure Address Records. After you add the custom nameservers in WHM, you should be prompted with “This system has # free IP.”
You’ll need to request a new IP address if you get an error stating This system has no free IPs.
Contact our 24/7 Live Support before continuing if you’re concerned about anything on your server not working with PowerDNS or without DNS clustering.
- Log in to WHM as root.
- On the left, select Nameserver Selection.
- Select PowerDNS and Save.
- On the left, select DNS Cluster.
- Click Disable DNS clustering.
- (Optional) On the left, select Tweak Settings. Enable cPanel & WHM API Shell (for developers). Then on the left, select API Shell and type installed_versions beside v1. Click Submit and search for “powerdns” to ensure it’s installed.
Create DS Record in cPanel
- Log into the cPanel account that needs DNSSEC.
- Click Zone Editor.
- Click DNSSEC beside the domain.
- Click CREATE KEY.
- Click CUSTOMIZE.
- Select ECDSA Curve P-256 with SHA-256 (algorithm 13) or ECDSA Curve P-384 with SHA-384 (Algorithm 14). These are the strongest cryptographic algorithms supported by OpenSRS for DNSSEC-eligible TLDs. Leave Key Setup as Classic and Status as Active.
Remember this guide is tailored to InMotion Hosting customers with a domain registered through OpenSRS. If you’re using another domain registrar, you need to ask them if they support DNSSEC and, if so, what cryptographic algorithms they support.
- Click CREATE.
- Click GO BACK.
- Click VIEW DS RECORDS to see the digests available – SHA-1, SHA-256, and SHA-384 – for your domain, key tag, and algorithm.
Update DNS Records
After creating the DS record, you’ll need to contact our Live Support (or your domain registrar) with the Key Tag, Algorithm Type, and strongest supported Digest Type with Digest.
We recommend using the SHA-256 (Algorithm 2) or SHA-384 (Algorithm 4) digest type and digest.
Inputting DNSSEC records incorrectly may cause website downtime.
DNSSEC verification should complete within 10 minutes, but it may take up to 2 hours. There are a few ways to ensure DNSSEC is working properly:
• Check your domain DNS key at DNSViz.net. You should only see Secure on the left.
• Check DNSSEC-Analyzer.VeriSignLabs.com. You should see all checks.
• Verify DNSSEC in SSH with the dig command:
dig +dnssec @your-domain.com ANY your-domain.com
Do you want DNSSEC with BIND? Upvote the cPanel thread to let them know. Any other questions about DNSSEC? Let us know below.