Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
stylenone

Overview

This document describes how to rotate a domain's DNS Security Extensions (DNSSEC) keys on a server. You can rotate your domains' DNSSEC keys regularly to increase your DNS record's security.

Warning
titleImportant:
  • We recommend that you rotate your domain's DNSSEC keys yearly.
  • If you transfer the account to another server, you must create new DNSSEC keys for the account and update the registrar with the new keys. The system does not include DNSSEC keys in an account’s backup file. 
  • DNSSEC keys remain on a server after you terminate an account. If you restore an account on the same server from which you deleted it, the account’s DNSSEC keys remain valid.

  • For more information about DNSSEC key rotation, we strongly suggest that you read the RFC 6781 documentation.


Localtab Group


Localtab
activetrue
titlecPanel & WHM version 76 and later (PowerDNS 4.1)

Rotate the key

To rotate the DNSSEC key, perform the following steps:

  1. Add a new Key Sign Key (KSK) to the domain's DNS zone. To do this, run the following command:

    Code Block
    languagetext
    pdnsutil add-zone-key example.com ksk active 2048 rsasha512

    The output will resemble the following example:

    Code Block
    languagetext
    Jun 29 15:22:35 [bindbackend] Done parsing domains, 3 rejected, 8 new, 0 removed
    Added a KSK with algorithm = 10, active=1
    Requested specific key size of 2048 bits


    Note
    titleNote:

    example.com represents your domain. 


  2. Increase the DNS zone's Start of Authority (SOA) serial number. To do this, run the following command:

    Code Block
    languagetext
    grep "Serial Number" /var/named/example.com.db| sed -e 's/^\s*//' -e '/^$/d' | cut -d';' -f1
    ## The system will output the serial number. The serial number is 1234567890 in this example.
    ## Then, increment the serial number by one.
    whmapi1 editzonerecord domain=example.com type=SOA serial=1234567890x line=5

    For more information on SOA records, read the Edit DNS Zone documentation.

  3. Review the updated zone's DNSSEC details for the Domain Server (DS) records that correspond to the new key. To do this, run the following command:

    Code Block
    languagetext
    pdnsutil show-zone example.com

    Thie output resembles the following example:

    Expand
    titleClick to view...


    Code Block
    languagetext
    linenumberstrue
    Added a KSK with algorithm = 8, active=1
    Requested specific key size of 2048 bits
    Zone has NARROW hashed NSEC3 semantics, configuration: 1 0 7 9827d1a1a467a387
    keys:
    ID = 1 (KSK), tag = 41686, algo = 8, bits = 2048	Active: 1 ( RSASHA256 )
    KSK DNSKEY = example.com IN DNSKEY 257 3 8 AwEAAa2vycAp3tqgqxXP8Q7TYlWGgUzLMPG/e/zzH3feFA1y1JbXKo0tlM/D6HG+aKrEBottuVIzmtIQcCBhxbDo69MrZ+OsUb1Elbf3ryEKrECRZegG1hjVfR82DDVJFoNYKZPsPSlmLOdbCze+2/liv954U7UayN0Bt1TiYtX9mXJEltkVODaxm4xnr+T49aKN3cC2htZ2Kv+wsmEEgfF403uGx08yvBYaEFj4Um7+Ll1JE/I8R2piwzCxBWkZv1ioDNxKxvS90A5E/GDDRc/91VJeQDKSj412dA/810W6bEhAfXf5EzJT/Usdo+Xo93sf+pM1muFb85ha4VvRFXVJ7nc= ; ( RSASHA256 )
    DS = example.com IN DS 41686 8 1 cc2bbc84733abfea5c1c06e42536e56f947eec6f ; ( SHA1 digest )
    DS = example.com IN DS 41686 8 2 09ffb322a1697230a8a7b86301f8a80540ed1c78210778fe863f25c08cdfc6c6 ; ( SHA256 digest )
    DS = example.com IN DS 41686 8 4 c179cd343402e979cd48638c91d011b0cf5866e8e63d76a15da22597a59f650d36917de1dec35c5a269dd6e7a632cc99 ; ( SHA-384 digest )
    
    ID = 3 (KSK), tag = 31361, algo = 8, bits = 2048	Active: 1 ( RSASHA256 )
    KSK DNSKEY = example.com IN DNSKEY 257 3 8 AwEAAdNQ2mk+pMUeDi/vXwEHrptEQHe4wbkEg7xB/V20sFunPX+gcaW5HiFnrcr/5/SAyqlFaQI17u9Revy0pVToSnNPCr3uNA2kt0F/9KqOC5kX8trMKKZlCAf4tbiLoecNpqpPWcCU6/ttGBCaatmor0lTrPD4DElh0/0sb2/2gIdRz1nw/07jTerLGrj6y/1gb7m140K8fZbFQ7HKIUqlzrWqKQVzCQz5oW0dHiok7yK1Z8mj5Mci4Gwl9flsbtjaos0NWKh+N8S2bTfALRT8ucQiZYzYdlRB8UCeXoavYU75kShbNesNBBkmo7hc3R1CdP7TMjDE8f7f30ky8pKvYn0= ; ( RSASHA256 )
    DS = example.com IN DS 31361 8 1 0741f7349684a39004e2b0b431a04b4e44f5dc69 ; ( SHA1 digest )
    DS = example.com IN DS 31361 8 2 b0cfc8e92dfe77686542032051a1150173075d485fa77656309baefdcbe807b1 ; ( SHA256 digest )
    DS = example.com IN DS 31361 8 4 7fdae2e7fb53b4444dde36854cb91a5f03607b30f716e9c28ffb7fc25ee92e7b872cbf697a936a08a637ccb73951a1a9 ; ( SHA-384 digest )
    
    ID = 2 (ZSK), tag = 39844, algo = 8, bits = 1024	Active: 1 ( RSASHA256 )



  4. Add a new DS record for the domain through your nameserver registrar. To do this, follow the directions in our How to Set Up Nameservers in a cPanel Environment documentation.
  5. Wait 24 to 48 hours for the DS record to propagate.

    Warning
    titleWarning:

    If you do not wait for the DS record to propagate, your domain may experience DNS resolution issues.


  6. Remove the domain's old KSK. To do this, run the following command:

    Code Block
    languagetext
    pdnsutil remove-zone-key example.com key-id


    Note
    titleNote:

    keyid represents the old KSK's key ID. The pdnssec show-zone command's output contains the key's ID.



Localtab
titlecPanel & WHM version 60 through 74 (PowerDNS 3.0 to 4.0)

Rotate the key

To rotate the DNSSEC key, perform the following steps:

  1. Add a new Key Sign Key (KSK) to the domain's DNS zone. To do this, run the following command:

    Code Block
    languagetext
    pdnssec add-zone-key example.com ksk 2048 active

    The output will resemble the following example:

    Code Block
    languagetext
    Added a KSK with algorithm = 8, active=1
    Requested specific key size of 2048 bits


    Note
    titleNote:

    example.com represents your domain. 


  2. Increase the DNS zone's Start of Authority (SOA) serial number. To do this, run the following command:

    Code Block
    languagetext
    grep "Serial Number" /var/named/example.com.db| sed -e 's/^\s*//' -e '/^$/d' | cut -d';' -f1
    ## The system will output the serial number. The serial number is 1234567890 in this example.
    ## Then, increment the serial number by one.
    whmapi1 editzonerecord domain=example.com type=SOA serial=1234567890x line=5

    For more information on SOA records, read the Edit DNS Zone documentation.

  3. Review the updated zone's DNSSEC details for the Domain Server (DS) records that correspond to the new key. To do this, run the following command:

    Code Block
    languagetext
    pdnssec show-zone example.com

    Thie output resembles the following example:

    Expand
    titleClick to view...


    Code Block
    languagetext
    linenumberstrue
    Jun 29 15:32:56 [bindbackend] Done parsing domains, 0 rejected, 8 new, 0 removed
    Zone is not presigned
    Zone has NSEC semantics
    keys: 
    ID = 2 (KSK), tag = 65017, algo = 8, bits = 2048	Active: 1 ( RSASHA256 ) 
    KSK DNSKEY = example.com IN DNSKEY 257 3 8 AwEAAcvy22Lte30KEn2ZJ/+TIdvmIKM8m2TzIlKlV3zB8OGi8UEixkowAwvefbRaxlMmbqmUJE2Gn6rjNPoJBANjAaf8DkchdDIfyyfVJKKjuqAb5hr8hW4BcapZquiRmpXinVHLmQmAxt1rGAo5zdIwpntk3fjsPnEC/dGCJeWzVrUTkX9ucYJRG+4yE9xEzMyx89Vnwn+UWBdoQejtthm6IqNC5ilPQDrfTi/cj//5LTXUNGxs8329qgGtQP9uUf0SOaf3PUIWux2n7b1IRKqZ7cN9EAQCU0ye2D38xqpegsM726lzK//QOuj66I9p+c6l5owKzTMPWsbVKqmx5SEJAYc= ; ( RSASHA256 )
    DS = example.com IN DS 65017 8 1 4b3114ef11b7c329703b986bf0a1eae971f37257 ; ( SHA1 digest )
    DS = example.com IN DS 65017 8 2 d6b31f08f67486dbf7dafac825f180f3907b1b9bf55481b028c2a67ea3a2e38c ; ( SHA256 digest )
    DS = example.com IN DS 65017 8 4 97bf836b64506d7dc9cea16ae8ac512c76eecf35f2260c5296d816ca45927a5b69beb66c2e98007e48fc957a85f29684 ; ( SHA-384 digest )
    
    ID = 3 (KSK), tag = 33926, algo = 8, bits = 2048	Active: 1 ( RSASHA256 ) 
    KSK DNSKEY = example.com IN DNSKEY 257 3 8 AwEAAYV+hR7YDw6hfEPh1DHKmycHmQKB4P0JuIVd/eNAu2Q40jbPkxsBUYUcviZDdGcIYgO7Giu7lGePytebMDBAk9y46saAaTh4RK8cu4sN2sefx+rBj3CZB9lVU5KmePQHYDVlompP/Gh+pmCcBGKhzMwwK9QXz+FG4Yn3AJSQfzsEUKxRhoTIhxFmbraG4Zuf6iBj1D7VPFJBJc6TsfJZvC1nMaN2MQSphwrOdIVVCBJYUNy8VzbflAv/ItpTBBH0BXhyNcADEIFwp0R53v4KxWb483Hb5SOaLjdUFQ4RBQ21Lly1MKVuq3xH1dXdqT1N6IIBKlZpMgjaNfDLw4d36K0= ; ( RSASHA256 )
    DS = example.com IN DS 33926 8 1 1687f21b62f9ea9a140048060b4f469ded1e5276 ; ( SHA1 digest )
    DS = example.com IN DS 33926 8 2 260765a78971aea6ca50504403efcb45a1dcad45d00ceba07bef3ed1ca954592 ; ( SHA256 digest )
    DS = example.com IN DS 33926 8 4 72939651d3df84b85861213fe2c26293b081a518cf6431ddc0e21a9e30fc683166305697e6fe8fc7427db0eb5f4057bf ; ( SHA-384 digest )



  4. Add a new DS record for the domain through your nameserver registrar. To do this, follow the directions in our How to Set Up Nameservers in a cPanel Environment documentation.
  5. Wait 24 to 48 hours for the DS record to propagate.

    Warning
    titleWarning:

    If you do not wait for the DS record to propagate, your domain may experience DNS resolution issues.


  6. Remove the domain's old KSK. To do this, run the following command:

    Code Block
    languagetext
    pdnssec remove-zone-key example.com key-id


    Note
    titleNote:

    keyid represents the old KSK's key ID. The pdnssec show-zone command's output contains the key's ID.



Additional documentation

Localtab Group


Localtab
activetrue
titleSuggested documentation

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("dns","dnssec") and label = "whm" and space = currentSpace()


Localtab
titleFor cPanel users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("dns","dnssec") and label = "cpanel" and space in (currentSpace(),"DOC")


Localtab
titleFor WHM users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("dns","dnssec") and label = "whm" and space in (currentSpace(),"ALD")


Localtab
titleFor developers

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("dns","dnssec") and space = "DD"