Introduction

Domain Name System Security Extensions (DNSSEC) is the usage of public-key cryptography to do two things:

Let DNS servers sign records with a private key
Allow DNS resolvers to verify the signatures with a public key

Authenticating DNS records ensures that DNS resolvers and the applications that rely on them are not trafficking in forged or manipulated DNS records. This is accomplished by digitally signing all responses from DNSSEC-protected resolvers so that they can be verified against the records published by the DNS zone owner and served by an authoritative DNS server.

DNSSEC Records

This article discusses DNSSEC in the context of PowerDNS on cPanel/WHM 60+.

According to PowerDNS’s documentation, the version installed for cPanel/WHM creates the following default keys when instructed to set up DNSSEC for a DNS zone:

3 x RSASHA256 (algorithm 8) keys, consisting of:

2 active Zone Signing Keys (ZSKs) of 1024 bits
1 Key Signing Key (KSK) of 2048 bits

Zone signing keys and key signing keys

Zone signing keys (ZSKs) and key signing keys (KSKs) are also known by their DNS resource record name DNSKEY. They have the following properties:

ZSKs are used to sign records in a DNS zone (e.g. A, CNAME, MX, etc.). In PowerDNS, only 1 ZSK is “active”, and the other is passive. They have the flag 256
KSKs are used to sign other DNSKEY records. They have the flag 257

You can query DNSKEY records for a domain using dig:

dig dnssechelp.com +short DNSKEY

;; ANSWER SECTION:
dnssechelp.com.	294	IN	DNSKEY	256 3 8 AwEAAdbU62GnEpt9V8lGbLrLgCdli9H0Num/Efwvz1mT0LAkKUkj3dpV Vt87tdMEzM2YIDvM1ZwaTQgyNwxQxiRPazJq/XCzeM1KICk7TZfGHRkJ oIT0LmYiZSYqArAQdPWGFhws9UHfp32qUiVKgDGTy6sO9Iog3aoZ8cMD 
UK56Fwz3

dnssechelp.com.	294	IN	DNSKEY	257 3 8 AwEAAbXsdDxo9p0/gJLBXZqjt9FnytzMGFXz2Zdw3AHv0tCW0yhton4Q 3nQjKRIA/u30wGj3g4CHE9e3iubCEOTiQd/d9O469UBaa5Zmo5eHbwRt 8eSwvfSkgCkdXJ5m/1RB6lqNtSJwVKl8HClJi4w3euum+KANsIYhnvaf nBTWZUvhJJ9cSER78uF2hJ+Dh1h6nMgghUpQDZNjNY8mZ5AG4R0PHMAn I5ccKM/kOCnVKpYAruKN6WcFIOgE+aeetf7l8OnxiRv1FQ/iyFCXtJ6/ 006C0tnqFJZGBZ8r4xwrescuaAs2eafM16bDPEE43r4/JzUxg1vpTUPy 
WaxKTT8Nhe8=

The 256 record is the ZSK, and the 257 record is the KSK.

Resource signature records

The DNSSEC signatures that the active ZSK attaches to individual DNS records are called resource signature records (RRSIG). DNS resolvers verify RRSIG records with the public key stored in the DNSKEY record.

RRSIG resource records can also be queried using dig:

dig dnssechelp.com +dnssec

;; ANSWER SECTION:
dnssechelp.com.	300	IN	A	67.227.154.224
dnssechelp.com.	300	IN	RRSIG	A 8 2 300 20171130000000 20171109000000 48381 dnssechelp.com. cubvAOHu96ItvAH1rTZ+1cHIHkZBJ5vkP9lOSMgtac7Z9K9pJXS3TgvJ Qzj6maGzsT/Qns8+eW8M5JTTyjWJBs13lVeGNcgjNyCNEu0FkkUK9HRW ctsf1msGsMTjgKYJWQfplQ+PSsoyPr7EMtnxqg8c4RoSXcng4VLOWb4i 
W6k=

The last record is the RRSIG record for “dnssechelp.com”.

Delegation signer record

The delegation signer (DS) record contains a cryptographic hash of a KSK. This record is propagated to the top-level (TLD) domain registry (e.g. .com, .net). The DS record is a trust anchor that acts as a pointer from the TLD registry (.com) to the KSK in the DNS zone (i.e. dnssechelp.com). The KSK is then used to verify the ZSK, and the ZSK is used to verify the individual RRSIG records attached to each DNS record in the zone.

DS records can also be queried using dig:

dig dnssechelp.com ds

;; ANSWER SECTION:
dnssechelp.com.	900	IN	DS	37745 8 2 F70E97A24ED2E0B8753EBDE11A2A56F034441AEAA44B0A58AD8C2CC5 262E85AB

Looking for a handy way to visualize the chain of trust involved with DNSSEC?

The DS record supplied to the TLD registry is the one in the middle of the diagram (.com section). The TLD registry uses their own DNSSEC zone signing key (ZSK) to add an RRSIG record to the DS record supplied so that the chain of trust can continue all the way up to the DS records that are set at the root level (“.” section).

You can query the RRSIG record for the DS record added at the registrar using dig:

dig dnssechelp.com ds +dnssec

;; ANSWER SECTION:
dnssechelp.com.	900	IN	DS	37745 8 2 F70E97A24ED2E0B8753EBDE11A2A56F034441AEAA44B0A58AD8C2CC5 262E85AB
dnssechelp.com.	900	IN	RRSIG	DS 8 2 86400 20171128080530 20171121065530 11324 com. emNDf4ORtnXBh7Pur+oes2Dl4tEo/Rpw1G7CSTPtFg7bzuhrTa9cUW9a sAfYlD5fQBp65LSTFcdNhyqNIQtVKD8taXJ3PJha7ZDf/94jBHRSDzAT WBCTqyLrq/5xTIzQ1iZ2Tjf3PlGaA2AbkdTjUxExAYUSYchm5Ue8oW2d YVg=

Enable DNSSEC with PowerDNS

A PowerDNS nameserver on cPanel/WHM 60+ can be used to generate DNSSEC keys for a DNS zone.

Make sure you replace the domain name used in the examples below with the domain name you will actually be setting up DNSSEC for!

Check to make sure the top-level domain for the domain name you will be setting up DNSSEC for actually supports DNSSEC. The dnssecready.net webpage lists top-level domain names that currently do NOT support DNSSEC –> If the top-level domain in question is not on the list, then it should support DNSSEC. It’s usually also not a bad idea to confirm that the domain’s registrar supports DNSSEC as well, as some registrars do not even though the top-level domain in question does.
Add DNSSEC keys for a single domain:
- pdnsutil secure-zone dnssechelp.com
- This will generate two ZSKs, a KSK, and various DS record possibilities. One ZSK will be “active” and will be used to generate RRSIG records for all records in the DNS zone, and the other will be passive.
Rectify the DNS zone – this calculates various fields for the zone so they comply with DNSSEC settings: pdnsutil rectify-zone dnssechelp.com
Obtain the generated DS record for the domain:
- pdnsutil show-zone dnssechelp.com
The output should look something like this:
- [root@host ~]# pdnsutil show-zone dnssechelp.com Nov 20 23:47:52 [bindbackend] Done parsing domains, 0 rejected, 7 new, 0 removed Zone is not presigned Zone has NSEC semantics keys: ID = 1 (KSK), tag = 37745, algo = 8, bits = 2048 Active: 1 ( RSASHA256 ) KSK DNSKEY = dnssechelp.com IN DNSKEY 257 3 8 AwEAAbXsdDxo9p0/gJLBXZqjt9FnytzMGFXz2Zdw3AHv0tCW0yhton4Q3nQjKRIA/u30wGj3g4CHE9e3iubCEOTiQd/d9O469UBaa5Zmo5eHbwRt8eSwvfSkgCkdXJ5m/1RB6lqNtSJwVKl8HClJi4w3euum+KANsIYhnvafnBTWZUvhJJ9cSER78uF2hJ+Dh1h6nMgghUpQDZNjNY8mZ5AG4R 0PHMAnI5ccKM/kOCnVKpYAruKN6WcFIOgE+aeetf7l8OnxiRv1FQ/iyFCXtJ6/006C0tnqFJZGBZ8r4xwrescuaAs2eafM16bDPEE43r4/JzUxg1vpTUPyWaxKTT8Nhe8= ; ( RSASHA256 ) DS = dnssechelp.com IN DS 37745 8 1 ae5fe79d8dd193d0276e3d6a31a52581bc02e4c9 ; ( SHA1 digest ) DS = dnssechelp.com IN DS 37745 8 2 f70e97a24ed2e0b8753ebde11a2a56f034441aeaa44b0a58ad8c2cc5262e85ab ; ( SHA256 digest ) DS = dnssechelp.com IN DS 37745 8 4 8ae6d3ee3d8ef4105138f951d00e5bc7836fed9cb10ab513bc3434e541d8233fde4c8a13f81c47b43a602361 1045390b ; ( SHA-384 digest ) ID = 2 (ZSK), tag = 48381, algo = 8, bits = 1024 Active: 1 ( RSASHA256 )
Forward the appropriate DS record to the domain’s registrar.
- Make sure you select the correct DS record based on the algorithm used to create the keys initially! For PowerDNS 3.4 (default cPanel/WHM 60+ version), this should ALWAYS be the SHA256 digest record because the algorithm uses RSASHA256 (algorithm 8) keys.
Take the SHA256 digest DS record and provide it to the registrar of the domain. Each registrar has their own methods for accepting DS records. CloudFlare has a list of methods required by several popular domain registrars.
Confirm the DNSSEC chain of trust is complete. There are a couple of ways to check that all parts of the DNSSEC chain of trust are working. External links
- DNSViz – generates a full diagram of the DNSSEC chain of trust and shows any errors Verisign Labs DNSSEC Debugger – lists out the DNSSEC chain of trust for a domain
You can also use dig to perform a backward and forward trace of DNSSEC records. This starts with the RRSIG value for the record being queried in question and keeps going back until there are no more DS records.
- dig dnssechelp.com +sigchase
- This method may not show breakdowns in the DNSSEC chain of trust as easily, so best to also confirm using one of the external links above too.

Was this article helpful?

Thank you for your input.

Thank you for your feedback.