The following procedure explains the process of enabling DNSSEC for all domains on a cPanel server.
This guide starts with the process of enabling DNSSEC on the cPanel side of things first and then instructs you to enable DNSSEC at the registrar afterward. This order is intentional because DNS resolution will fail for your domains if you enable DNSSEC at the registrar first.
Changes Required on the cPanel Server
1. Switch your DNS server to PowerDNS if you are not already using PowerDNS
If you do not have a DNS cluster, you may use the following guide to switch to PowerDNS:
If you do have a DNS Cluster, you may use the following guide:
2. Enable DNSSEC on all of your domains
The following loop will run through all of the domains and just print a dry run so that you can verify which domains would be altered. It is critical to do this dry run to verify that the script will do what you actually want it to do:
cut -d":" -f1 /etc/userdatadomains | while read DOMAIN;do echo;echo "Enabling DNSSEC for: $DOMAIN"; echo "Dry Run - No Changes Made" ;done
The following script loops through all domains on the server and runs the enable_dnssec_for_domains WHMAPI endpoint for each. This enables DNSSEC and sets up the related DNSSEC records that you'll use in the next section.
cut -d":" -f1 /etc/userdatadomains | while read DOMAIN;do echo;echo "Enabling DNSSEC for: $DOMAIN"; whmapi1 enable_dnssec_for_domains domain=$DOMAIN ;done
Changes Required at the Domain's Registrar
In order to complete the DNSSEC setup, you'll need to enable DNSSEC at the registrar which is the company from which the domain was purchased.
We're not able to outline the entire process here because it is different for each registrar.
However, in order to configure DNSSEC at the registrar, you'll need to obtain the related DNSSEC records for each domain from your WHM server. The following guide explains this process:
We have created a guide that links to the Documentation for enabling DNSSEC at NameCheap here:
The following guide has some very useful information for troubleshooting and determining if DNSSEC is enabled on a domain:
How to enable DNSSEC for a subdomain that has its own zone: