Skip to main content

How to enable DNSSEC for all domains on a server

Austin Lowery
  • Updated

Introduction


The following procedure explains the process of enabling DNSSEC for all domains on a cPanel server.

 

IMPORTANT

This guide starts with the process of enabling DNSSEC on the cPanel side of things first and then instructs you to enable DNSSEC at the registrar afterward. This order is intentional because DNS resolution will fail for your domains if you enable DNSSEC at the registrar first.

 

Changes Required on the cPanel Server

 

1. Switch your DNS server to PowerDNS if you are not already using PowerDNS

If you do not have a DNS cluster, you may use the following guide to switch to PowerDNS:

How to Switch from BIND (named) to PowerDNS (PDNS) on a cPanel Server

 

If you do have a DNS Cluster, you may use the following guide:

How to convert a cPanel DNS cluster to make use of PowerDNS

 

2. Enable DNSSEC on all of your domains

The following loop will run through all of the domains and just print a dry run so that you can verify which domains would be altered. It is critical to do this dry run to verify that the script will do what you actually want it to do:

cut -d":" -f1 /etc/userdatadomains | while read DOMAIN;do echo;echo "Enabling DNSSEC for: $DOMAIN"; echo "Dry Run - No Changes Made" ;done

 

The following script loops through all domains on the server and runs the enable_dnssec_for_domains WHMAPI endpoint for each. This enables DNSSEC and sets up the related DNSSEC records that you'll use in the next section.

cut -d":" -f1 /etc/userdatadomains | while read DOMAIN;do echo;echo "Enabling DNSSEC for: $DOMAIN"; whmapi1 enable_dnssec_for_domains domain=$DOMAIN ;done

 

Changes Required at the Domain's Registrar

 

In order to complete the DNSSEC setup, you'll need to enable DNSSEC at the registrar which is the company from which the domain was purchased.

 

We're not able to outline the entire process here because it is different for each registrar.

 

However, in order to configure DNSSEC at the registrar, you'll need to obtain the related DNSSEC records for each domain from your WHM server. The following guide explains this process:

How do I obtain a DS Delegation Signer Record via the Command Line?

 

Supplementary Guides

We have created a guide that links to the Documentation for enabling DNSSEC at NameCheap here:

How to set up a DNSSEC Key at NameCheap

 

The following guide has some very useful information for troubleshooting and determining if DNSSEC is enabled on a domain:

How do I know if DNSSEC is enabled on a domain?

 

How to enable DNSSEC for a subdomain that has its own zone:

Enable DNSSEC for a subdomain zone

 

Related articles