👀 Choose SSD-powered VPS servers for increased speed, power, and security! Now 50% off- starting from only $3.19/mo.
This article provides a guide demonstrating how to enable DNSSEC on cPanel WHM server.
Enable DNSSEC on WHM Server
To enable DNSSEC on WHM server, follow the guide below:
Prerequisites
- Nameserver: PowerDNS enabled (WHM » Service Configuration » Nameserver Selection → PowerDNS).
- Time sync: NTP/chrony healthy.
- If using a DNS cluster, all authoritative nodes must run PowerDNS.
To enable DNSSEC on WHM server, follow the guide below:
-
Enable & Configure (once per server)
- WHM » DNS Functions » DNSSEC Key Management → click Enable DNSSEC (if prompted).
- Set defaults (recommended):
- Key Algorithm: ECDSAP256SHA256 (Algorithm 13)
- Digest Type: 2 (SHA-256)
-
Sign a Domain (per zone)
- WHM » DNS Functions » DNSSEC Key Management → select the domain.
- Click Generate Keys & Sign Zone.
- Copy the DS record (Key Tag, Algorithm, Digest Type, Digest).
-
Publish DS at Registrar (per domain)
- In the registrar’s DNSSEC panel, add the DS exactly as shown by WHM.
- Save.
-
Verify
dig +dnssec example.com A @8.8.8.8 delv example.com A- AD flag or delv “secure” ⇒ good.
- SERVFAIL after adding DS ⇒ remove DS, re-sign, re-add DS.
-
CLI/API (optional)
# Sign whmapi1 enable_dnssec domain=example.com # Show DS/keys whmapi1 get_domain_dnssec domain=example.com # Rollover whmapi1 rollover_dnssec_keys domain=example.com -
Key Rollover (best practice)
whmapi1 rollover_dnssec_keys domain=example.com- Publish the new DS at the registrar.
- After TTLs pass, remove the old DS.
-
Common Pitfalls
- DS published before zone is signed.
- Wrong Digest Type (use 2/SHA-256 unless registrar requires otherwise).
- Mixed nameservers where some don’t serve signed zones.
- Clock skew on server.
Conclusion
You now know how to enable DNSSEC on cPanel WHM server.
