This document describes how to rotate a domain's DNS Security Extensions (DNSSEC) keys on a server. You can rotate your domains' DNSSEC keys regularly to increase your DNS record's security.
- We recommend that you rotate your domain's DNSSEC keys yearly.
- If you transfer the account to another server, you must create new DNSSEC keys for the account and update the registrar with the new keys. The system does not include DNSSEC keys in an account’s backup file.
DNSSEC keys remain on a server after you terminate an account. If you restore an account on the same server from which you deleted it, the account’s DNSSEC keys remain valid.
- For more information about DNSSEC key rotation, we strongly suggest that you read the RFC 6781 documentation.
Rotate the key
To rotate the DNSSEC key, perform the following steps:
Add a new Key Sign Key (KSK) to the domain's DNS zone. To do this, run the following command:
The output will resemble the following example:
example.comrepresents your domain.
- Increase the DNS zone's Start of Authority (SOA) serial number.
Review the updated zone's DNSSEC details for the Domain Server (DS) records that correspond to the new key. To do this, run the following command:
Thie output resembles the following example:Click to view...
- Add a new DS record for the domain through your nameserver registrar. To do this, follow the directions in our How to Set Up Nameservers in a cPanel Environment documentation.
Wait 24 to 48 hours for the DS record to propagate.
If you do not wait for the DS record to propagate, your domain may experience DNS resolution issues.
Remove the domain's old KSK. To do this, run the following command:
keyidrepresents the old KSK's key ID. The
pdnssec show-zonecommand's output contains the key's ID.