Skip to main content

How to enable DNSSEC for all domains on a server

Austin Lowery
  • Updated

Introduction

The following procedure explains the process of enabling DNSSEC for all domains on a cPanel server. This guide starts with the process of enabling DNSSEC on the cPanel side of things first and then instructs you to enable DNSSEC at the registrar afterward. Please note that this order is intentional. DNS resolution will fail for your domains if you enable DNSSEC at the registrar first.

 

Procedure

  1. If you have not already, switch your server to use PowerDNS. The following guides can show you how to make the switch for standalone servers or servers in a DNS cluster:
    How to Switch from BIND (named) to PowerDNS (PDNS) on a cPanel Server
    How to convert a cPanel DNS cluster to make use of PowerDNS

  2. This loop will dry run through all of the domains on the server so you can be sure that the later run will be successful. If no errors come from this command you should proceed to the following step:
    cut -d":" -f1 /etc/userdatadomains | while read DOMAIN;do echo;echo "Enabling DNSSEC for: $DOMAIN"; echo "Dry Run - No Changes Made" ;done
  3. This follow-up loop goes through all domains on the server and runs the "enable_dnssec_for_domains" WHMAPI endpoint for each. This enables DNSSEC and sets up the related DNSSEC records to use at the registrar:
    cut -d":" -f1 /etc/userdatadomains | while read DOMAIN;do echo;echo "Enabling DNSSEC for: $DOMAIN"; whmapi1 enable_dnssec_for_domains domain=$DOMAIN ;done

To complete the DNSSEC setup, you'll need to enable DNSSEC at the registrar which is the company from which the domain was purchased. We're unable to outline the entire process here because it is different for each registrar. However, to configure DNSSEC at any registrar, you'll need the related DNSSEC records for each domain from your WHM server. The following guide explains this process:

How do I obtain a DS Delegation Signer Record via the Command Line?

 

Additional Information

How to set up a DNSSEC Key at NameCheap

How do I know if DNSSEC is enabled on a domain?

Enable DNSSEC for a subdomain zone

 

Related articles

Comments

0 comments

Article is closed for comments.