cPanel/WHM supports DNSSEC for servers running PowerDNS. This guide covers enabling DNSSEC at the server level and for individual domains.
WHM Server Configuration
Enable PowerDNS
In WHM, go to Server Configuration → DNS Server Selection. Select PowerDNS and save. The server will restart DNS services.
Configure DNSSEC Settings
Navigate to Service Configuration → PowerDNS. Enable DNSSEC support and configure algorithm preferences (ECDSAP256SHA256 recommended).
Enable Per-Domain DNSSEC
Go to DNS Functions → DNSSEC. Select the domain and click "Enable DNSSEC". WHM generates keys and signs the zone.
Getting DS Records
After enabling DNSSEC for a domain in WHM:
- Go to DNS Functions → DNSSEC
- Select the domain
- Click "View DS Records"
- WHM displays the DS record details to submit to the registrar
Registrar DS Submission
Submit the DS record at the domain registrar. This step varies by registrar:
Most registrars require: Key Tag, Algorithm, Digest Type, and Digest hash.
Key Management
cPanel manages DNSSEC keys automatically, but administrators should understand:
- ZSK Rollover: Automatic or manual rotation of zone-signing keys
- KSK Rollover: Requires updating DS at registrar; plan carefully
- Key Export: Backup keys before server migrations
Troubleshooting cPanel DNSSEC
DNSSEC Option Not Available
- Verify PowerDNS is the active DNS server
- cPanel version must be 78 or higher
- Check WHM → Server Information for version
Zone Signing Fails
- Check zone file for syntax errors
- Verify disk space for key storage
- Review /var/log/messages for PowerDNS errors