How To Enable DNSSEC In cPanel & Your Domain Registrar

This guide below shows you how to enable DNSSEC in cPanel and at your domain registrar in order to avoid man-in-the-middle attacks, cache poison attacks and other types of DNS forgeries.

Given how the Internet presently defines every aspect of our lives, it is often easy to forget that the Domain Name System (DNS) that forms its central core is held together by ducts and tapes.

When DNS was designed in the 1980s, the Internet was much smaller and security was never a consideration as those within the network trusted each other.

The world has changed.

The advances in technology have enabled the internet to become part of the fabric of our day to day existence.

This has created opportunities for DNS exploits which include DNS spoofing/cache poisoning, DNS tunneling, DNS hijacking, NXDOMAIN attack, phantom domain attack, botnet-based CPE attack, and others.

Take a situation where a recursive resolver sends a query to an authoritative name server.

As it is now, the resolver has no way of verifying the authenticity of the response.

It can only check that the response appears have come from the same IP address, where the resolver sent the original query to but cannot easily detect a forged response to one of its queries if one is present.

An attacker can easily masquerade as the authoritative server, hijack the DNS lookup to send a user to a fraudulent website that distributes malware or collect personal information without the user realizing it.

The engineers in the Internet Engineering Task Force (IETF) (the organization responsible for the DNS protocol standards) knew about this weakness and have been searching for a solution.

This effort resulted in what we know today as the DNSSEC Security Extensions (DNSSEC).

DNSSEC (designed to be backward-compatible) is a set of extensions that add extra security to the DNS protocol by implementing a hierarchical digital signing policy across all layers of DNS.

Among its core function is for it to serve as effective protection against DNS spoofing attacks … when implemented correctly.

The data origin authentication of the DNS requests validation allows a resolver to cryptographically verify that the data it received, actually came from the zone where it believes the data originated.

And the data integrity protection allows the resolver to know that the data hasn’t been modified in transit since it was originally signed by the zone owner with the zone’s private key.

In keeping with our promise that our customers will always get access to the best and latest features that cPanel offers, we are happy to announce that you can now enable DNSSEC for your domain on all of our cPanel production servers.

We have created a detailed guide on how to do this at https://dashboard.webhostingmagic.com/knowledgebase/23/DNSSEC

When you enable it, DNSSEC adds a layer of authentication on top of your DNS, thus giving you a way to avoid all those issues that we mentioned above.

At the moment, DNSSEC is not automatic.

After creating the key in cPanel, it needs to be specifically enabled by you the domain name owner at your zone’s authoritative servers.

The process differs from every registrar but just as you can make other changes to a zone (such as a zone’s authoritative name servers), you can also update the zone’s public key material to complete the implementation of DNSSEC.

On this page, we have listed some of the commonest domain registrars that some of our customers hosting their DNS outside our systems have used.

If yours is not listed, please contact your domain registrar support team for help.

BIG WARNING: DO NOT IGNORE THIS WARNING

The first question you really need to ask yourself is, should I enable DNSSEC?

The reason you need to answer this question is that enabling DNSSEC fundamentally alters the way you relate or manage your domain and DNS records.

For example, once you enable DNSSEC for your domain, you cannot change your name servers willy-nilly.

Before changing name-servers, you have to disable DNSSEC and wait for at least 72 hours before making such changes.

Failure to do that may result in your domain not resolving.

Another example is when you have to transfer a domain name to another registrar or web hosting service provider.

You have to first remove the Domain Server (DS) records, wait for the changes to propagate before initializing the transfer.

If you do not remove the old DS records from the registrar, the domains may produce DNS resolution issues due to invalid DNSSEC responses.

Now that is out of the way, below are links you may need to complete the DNSSEC enablement at your domain registrar.

Registrar

Instructions

123 Reg

Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel.

DNSimple

Using Web Hosting Magic cPanel DNSSEC with DNSimple

domaindiscount24

DNSSEC

dotster

Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel.

DreamHost

DNSSEC overview

In DreamHost, use 2 as the Digest Type instead of SHA256.

dynadot

How do I set up DNSSEC?

Enom

At the time of this writing, Enon’s default name servers does not support the creation of the appropriate resource records to create a proper DNSSEC chain.

Learn more at Adding a DNSSEC to a Domain Name

gandi

DNSSEC

In gandi, make sure you select Algorithm 13 for the Algorithm dropdown.

GoDaddy

To configure a DS record with GoDaddy, perform the following steps:

  • Click Manage.
  • In the upper-right corner of the interface, select the list view.
  • Select the domain for which to create a DS record.
  • In the DS Records section of the Settings interface, click Manage.
  • Click Add DS Record.
  • Enter the DNSSEC key’s information in the text boxes and click Next. The system will validate the DS record information that you added.
  • Click Next, and then click OK.

Add a DS record

godzone

Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel.

In the godzone web control panel, you might be able to add a DS record under the Domains tab.

Google Domains

If you’re using Google Domains name servers, you can turn on DNSSEC with one click. Follow these instructions:

  1. Sign in to Google Domains.
  2. Select the name of your domain.
  3. Open the menu
  4. Click DNS.
  5. Scroll to “DNSSEC”.
  6. Click Enable DNSSEC or Disable DNSSEC to change the domain’s setting.

When you turn on DNSSEC, it takes roughly 2 hours for DNSSEC to activate completely. When you turn it off, there’s a delay of up to 2 days before deactivation.

If you have custom name servers, you may need a third-party DNS provider to configure DNSSEC for your domain. Additionally, you must activate DNSSEC on Google Domains. Follow the instructions below:

  1. Identify the one or more DNSKEY records you have created in Web Hosting Magic cPanel for your domain.
  2. Obtain the following values:
    • Key tag: Numeric value that refers to an existing DNSKEY record.
    • Algorithm: Encryption algorithm that created the security key in the DNSKEY record. Usually paired with a hash function, as in RSA/SHA1.
    • Digest type: Algorithm used to create the digest of DNSKEY record. Also called “digest algorithm,” “digest hash,” or “digest hash function.”
    • Digest: Hashed value of the DNSKEY record that uniquely identifies it without exposing the value of the key. Depending on the digest type, the length is:
      1. SHA1 – 40 hexadecimal digits
      2. SHA256 – 64 hexadecimal digits
      3. SHA384 – 96 hexadecimal digits
  3. For each DNSKEY record, create at least one delegation of signing (DS) resource record. Follow these steps:
    1. Sign in to Google Domains.
    2. Select the name of your domain.
    3. Open the menu.
    4. Click DNS.
    5. Scroll to “DNSSEC”.
    6. Create an entry using the values from previous steps. 

Google Cloud DNS & DNSSEC

If DNSSEC was enabled during the DNS zone creation, select the DNSSEC to On and click save.

Google Cloud DNS will create DNSSEC records for public keys (DNSKEY), signatures (RRSIG), and non-existence (NSEC, or NSEC3 and NSEC3PARAM) to authenticate your zone’s contents and manage them automatically.

Once this action has been performed, it is time to deal with the Registrar part.

Click on the Zone name, then Registrar Setup at the top right to view the DNSSEC resource records to update in your domain.

You will get these values which you will need to secure the domain name at your registrar to.

  • Key tag: Numeric value that refers to an existing DNSKEY record or integer value that identifies the domain’s DNSSEC record.
  • Algorithm: Encryption algorithm that created the security key in the DNSKEY record.
  • Digest type: Algorithm used to create the digest of DNSKEY record.
  • Digest: Hashed value of the DNSKEY record that uniquely identifies it without exposing the value of the key.

hover

Understanding and managing DNSSEC

internet.bs

Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel.

You might be able to add a DS record:

  • My Domains > Update DNS List > Manage DNSSEC > Enable DNSSEC

Joker.com

DNSSEC Support

In Joker.com, use 2 as the Digest Type instead of SHA256.

MarkMonitor

MarkMonitor supports verification Algorithm 13 and automatically implements the Extensive Provisioning Protocol (EPP) to pass DS records to the registry for the following TLDs:

.com, .biz, .net, .org, .us, .eu, .fr, .de, .co, .lu, .ch, .be, .li, .co.uk, .wf, .tf, .pm, .yt, .se, .af, .cx, .gs, .hn, .ki, .nf, .sb, .tl, .re

To add a DS record, enter the DS data in the DNSSEC Details panel of the MarkMonitor management portal.

Moniker

Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel.

You might be able to add a DS record:

  • My Domains >Advanced Settings > DNSSEC > DSData

name.com

Managing DNSSEC

namecheap

To configure a DS record with NameCheap, perform the following steps:

  • Click Domain List in the left menu.
  • Select the domain for which to configure a DS record and click Manage.
  • Click Advanced DNS.
  • Set the DNSSEC toggle to on. The DS records menu will appear.
  • Click ADD NEW DS.
  • Enter the DNSSEC key’s information in the text boxes.
  • Click SAVE ALL CHANGES.

Managing DNSSEC for domains pointed to Custom DNS

OpenSRS

To configure a DS record with OpenSRS, perform the following steps:

  • Click Domains.
  • Locate the domain for which to configure a DS record and click the domain’s name.
  • Scroll down to the DNSSEC section and click Edit. The DS records menu will appear.
  • Enter the DNSSEC key’s information in the text boxes.
  • Click Save.

nameISP

How do I enable DNSSEC for my domain?

Enabling DNSSEC in nameISP does not require you to copy and paste the DS record data from your Web Hosting Magic cPanel account.

namesilo

DS Records (DNSSEC)

OVH

OVH supports DNSSEC with Algorithm 13 through their API. See the documentation.

OVH also supports adding the DS record via their DNS Manager.

Public Domain Registry

Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel.

This registrar might have limited TLDs.

See Adding Delegation Signer (DS) Records.

register.com

Contact your registrar’s customer support and provide the DS record data you generated with Web Hosting Magic cPanel.

registro.br

DNS e DNSSEC Tutoriais (in Portuguese)

Tsohost

Contact your registrar’s customer support and provide the DS record data you generated with Web Hosting Magic cPanel.

When DNSSEC has been successfully applied to your domain, you can confirm by reviewing the WHOIS information for your domain.

Domains with DNSSEC will read “signedDelegation” in the DNSSEC field.

You can also use an online tool such as http://dnsviz.net/ or https://dnssec-analyzer.verisignlabs.com/ to validate your DNSSEC.

Published by Trax Armstrong

A figment of someone's imagination that doesn't really exist. He lives inside a sci-fi simulation, reads philosophical and metaphysical books when he is not fighting aliens that want to steal his soul & always quote Star Trek to make his points.

%d bloggers like this: