How do I configure DNSSEC for my domain?

General about DNSSEC

DNSSEC (Domain Name System Security Extensions) is a security improvement for domains that protects against tampering with your DNS data. With DNSSEC, visitors can verify that the DNS information they receive about your domain is genuine and has not been changed along the way.

In short, DNSSEC makes it much harder for hackers to redirect your traffic to a fake website.

How to create DNSSEC keys

If you have a web hosting plan with us, you can create DNSSEC keys via cPanel > Domains > Zone Editor > DNSSEC. Click “Create Key” to get started.

Standard configuration

When you click “Create” without further changes, the system will automatically create:

• Key-Signing Key (KSK): RSA/SHA-256 (Algorithm 8), 2,048 bits
• Zone-Signing Key (ZSK): RSA/SHA-256 (Algorithm 8), 1,024 bits

This standard setup is suitable for most users and works with the majority of domain registries.

Customized configuration

If you choose “Customize”, you can define more details yourself, such as:

• Whether to create separate KSK/ZSK keys (“Classic”) or a combined CSK (“Simple”)
• Choice of algorithm, e.g., ECDSA or RSA
• Key size
• Whether the key should be active immediately

This gives more flexibility but also requires you to know what you are doing. If in doubt, we recommend using the standard settings.

Note

If your DNS is hosted with another provider, you must first create the DNSSEC keys there and obtain their DS records before configuring DNSSEC in our system.

How to change DNSSEC keys

You can change your DNSSEC setup directly via Client Area > Domains > My Domains > Find Domain > Manage > Manage DNSSEC.

Here you can easily enter:

• Key Tag
• Algorithm
• Digest Type
• Digest

When you enter these details, they will be saved and submitted to the domain registry so DNSSEC can work correctly.

Note: It is not recommended to use Digest Type 1 (SHA-1), as it is considered outdated and insecure. Instead, use SHA-256 or newer if possible.

Also remember to deactivate any old keys after the new ones have been validated and propagated to avoid conflicts.

Rotating DNSSEC keys

For security reasons, you should rotate your DNSSEC keys regularly, typically once a year or according to your organization’s security policy. Rotation means creating new keys and registering the new information with the domain registry so that old keys cannot be misused.

The typical procedure is to create a new set of keys and activate them alongside the existing ones. After 24–48 hours of propagation, you can then remove the old keys and their DS records.

Testing and verification

After setting up DNSSEC, we recommend that you test to ensure everything works correctly. You can use tools such as:

• Verisign DNSSEC Analyzer
• DNSViz

These tools can help you confirm that your DS records are correctly registered and that the signatures are being validated properly.

Remember when changing name servers

If you change your domain’s name servers at some point, you must also update the DNSSEC setup. New name servers need to be aware of your DNSSEC keys, otherwise validation will fail and your domain may become unavailable until the configuration is corrected.

dnssec

Related Articles