Generating DNSSEC keys in cPanel

Having a domain delegated to our DNS servers, the keys can be generated in the cPanel hosting panel. The keys should be configured according to the parameters that are supported by the domain registrar.

How to generate DNSSEC keys in cPanel?

1. From the “Domains” tab, select the “Zone Editor” option.

2. Select the domain for which you want to generate DNSSEC keys. Then click on the “DNSSEC” option.


3. Next, to create a key, click on the option “Create Key”.


4. In the next window you will see the default keys proposed by cPanel. To add them, select “Create”. You can also create keys according to your own settings. To create your own keys, select “Customize”.


5. By selecting “Customize” you can create a key according to our own settings:

Key Setup:

  • Classic: Creates a ZSK (Zone Signing Key) and a KSK (Key Signing Key) keypair.
  • Simple: Creates a CSK (Combined Signing Key) which will be used as both the ZSK and KSK.

Algorithm:
Selection of the algorithm that will be used to create the keys.

  • RSA/SHA-256 (Algorithm 8) – most commonly supported by domain registrars
  • RSA/SHA-512 (Algorithm 10) – similar to RSA/SHA-256, generates longer 512-bit hashes so it is more secure but less efficient than RSA/SHA-256
  • ECDSA Curve P-256 with SHA-256 (Algorithm 13) – recommended by cPanel, provides high security with smaller key size compared to RSA
  • ECDSA Curve P-384 with SHA-384 (Algorithm 14) – higher security than ECDSA with P-256 with SHA-256. Less efficient than the 13 algorithm but still more efficient than RSA-based algorithms. Suitable for environments requiring very high levels of security.

Status:
Allows to activate or deactivate the key.


6. Now that you have the keys created, you can add them in the DNS settings in the domain management panel (where the domain is registered). To get the necessary data, click in cPanel on “View DS Records” next to the generated key, and then fill in the data on the domain management panel side.


For domains registered with Smarthost.au DNSSEC can be activated in the customer area.

Damian Koćwin