DNSSEC (Domain Name System Security Extensions) is like putting a lock on your DNS records. With DNSSEC enabled, your visitors can be sure that the answers their browsers get - like where to find your website - are really from you and haven’t been forged or tampered with on the way. Without DNSSEC, attackers can fake DNS responses and send your visitors to the wrong place, potentially putting their data at risk.

Setting up DNSSEC takes two main steps: first, you sign your domain’s DNS zone on the server; then, you publish a special code - called a DS record - at your domain registrar. Both steps are essential to make DNSSEC work.

Which Path to Follow

The steps you’ll follow depend on what kind of access you have to your hosting - are you using cPanel on a shared plan, or are you a server admin with WHM access?

You have…Follow this section
cPanel access (shared hosting account)Enable DNSSEC from cPanel
WHM access (VPS, dedicated, or reseller)Enable DNSSEC from WHM

If you’re on a GoZen Host shared hosting plan and just want DNSSEC on your domain, the cPanel path is all you need.

Enable DNSSEC from cPanel

For most users, this is the simplest path. If your hosting provider (like GoZen Host) has DNSSEC support turned on - which is true by default for GoZen shared hosting - you can turn it on yourself right from your cPanel account. No technical background needed.

What You’ll Need First

  • A cPanel hosting account with GoZen Host (or any host running cPanel 98+)
  • Your domain must use the server’s nameservers (not Cloudflare or an external DNS provider)

Step 1 - Generate DNSSEC Keys in cPanel

  1. Log into your cPanel account.
  2. Go to DomainsZone Editor.
  3. Find your domain in the list.
  4. Click the DNSSEC button next to it (it’s in the same row as the A Record, CNAME, MX, and Manage buttons).
  5. Click Create Key, then click Create in the confirmation popup.

cPanel generates the signing keys and signs your DNS zone automatically. After creation, the DS Records screen appears with the details you’ll need:

  Key Tag:      12345
Algorithm:    13 (ECDSAP256SHA256)
Digest Type:  2 (SHA-256)
Digest:       A1B2C3D4E5F6...

Copy these values somewhere safe - you’ll need them in the next step.

Step 2 - Add the DS Record at Your Registrar

The DS (Delegation Signer) record is like a handshake between your DNS zone and the wider internet, telling the parent zone (like .com) that your signed zone can be trusted. This step is done at your domain registrar - not inside cPanel.

If your domain is registered with GoZen Host:

  1. Log into the GoZen Host Client Area
  2. Go to Domains → My Domains
  3. Click the domain name
  4. Look for DNSSEC Management or DS Records
  5. Enter the Key Tag, Algorithm, Digest Type, and Digest from Step 1.
  6. Save

If your domain is at another registrar (Namecheap, GoDaddy, Porkbun, etc.):

Log into your registrar’s dashboard, look for DNSSEC or DS record settings for your domain, and enter those same four values. The field names are nearly always identical - the screens just look a bit different depending on your registrar.

Step 3 - Verify It Works

Give it 15-30 minutes for changes to take effect, then check your work with the GoZen DNS Inspector. Just enter your domain and run a scan - the tool checks your DNS health, record integrity, and DNSSEC status all at once. If DNSSEC is active, you’ll see a clear confirmation.

For a deeper look at the chain of trust:

Enable DNSSEC from WHM

This part is for server administrators - if you have root or reseller access to WHM (usually with a VPS, dedicated server, or reseller plan), these are your steps.

What You’ll Need First

  • Root or reseller access to WHM
  • PowerDNS as your nameserver (DNSSEC is not supported with BIND in cPanel)
  • Your domain must use the server’s own nameservers (not Cloudflare, not your registrar’s DNS)
  • Access to the domain registrar’s control panel (to add the DS record)

Step 1 - Make Sure DNSSEC Is Available

Before generating keys, confirm that DNSSEC is enabled on your server and visible to your cPanel users:

  1. Log into WHM as root.
  2. Go to Packages → Feature Manager.
  3. Edit the feature list assigned to your hosting packages.
  4. Make sure Manage DNSSEC is checked, then save.

This lets cPanel users see and manage DNSSEC from their own Zone Editor. If you skip this, only WHM-level admins can manage DNSSEC.

Step 2 - Generate DNSSEC Keys

  1. In WHM, go to DNS Functions → DNS Zone Manager.
  2. Find the domain you want to sign.
  3. Click the DNSSEC button next to it.
  4. Click Create Key.

WHM generates two keys for the domain: a ZSK (Zone Signing Key) and a KSK (Key Signing Key). Once created, click View DS Records to see the details you’ll need:

  Key Tag:      12345
Algorithm:    13 (ECDSAP256SHA256)
Digest Type:  2 (SHA-256)
Digest:       A1B2C3D4E5F6...

Copy down the Key Tag, Algorithm, Digest Type, and Digest values. You’ll need them to finish setting up DNSSEC.

Step 3 - Add the DS Record at Your Registrar

Just like with cPanel, you’ll need to add the Key Tag, Algorithm, Digest Type, and Digest from WHM to your registrar. For a full walkthrough, see Step 2 under the cPanel instructions above.

Some registrars ask for the DNSKEY record instead of a DS record. If that’s the case, go back to DNS Zone Manager → DNSSEC for the domain and copy the DNSKEY value from there.

Step 4 - Verify DNSSEC Is Working

Give things 15-30 minutes to update, then check your DNSSEC status with the GoZen DNS Inspector - it’ll quickly tell you if everything’s set up correctly.

If you prefer the command line, you can use:

  dig +dnssec yourdomain.com A

Look for the ad flag (Authenticated Data) in the response header. If you see ad, DNSSEC is working! For more detailed trust-chain checks, try the DNSSEC Analyzer (Verisign) or DNSViz.

Managing DNSSEC Keys

Key Rotation

If you’re using PowerDNS, cPanel will rotate your ZSK (Zone Signing Key) for you automatically. For the KSK (Key Signing Key), you’ll need to:

  1. Generate a new KSK in WHM.
  2. Update the DS record at your registrar with the new key.
  3. Wait for the new settings to propagate (usually 24-48 hours).
  4. Only then, remove the old KSK in WHM.

Important: Don’t remove the old KSK until the new DS record has fully propagated. If you do, you’ll break the chain of trust and DNSSEC will fail, meaning services like Google Public DNS and Cloudflare DNS won’t resolve your domain.

Disabling DNSSEC

Whether you set up DNSSEC from cPanel or WHM, here’s how to turn it off safely (for example, before migrating to a new DNS provider):

  1. First, remove the DS record at your registrar.
  2. Wait 24-48 hours for the old DS record to expire from DNS caches.
  3. Then, remove the DNSSEC keys in WHM.

Troubleshooting

ProblemCauseFix
Domain stops resolving after enabling DNSSECDS record doesn’t match the key in cPanel/WHMDouble-check Key Tag, Algorithm, Digest Type, and Digest values at your registrar
SERVFAIL on dig queriesBroken chain of trustRun a scan at GoZen DNS Inspector or DNSSEC Debugger to find where the chain breaks
No ad flag in dig outputYour resolver doesn’t validate DNSSEC, or DS record hasn’t propagatedTest with dig @8.8.8.8 +dnssec yourdomain.com A to use Google’s resolver, or check via GoZen DNS Inspector
DNSSEC tab missing in cPanel Zone EditorFeature not enabled, or provider hasn’t turned on DNSSECServer admin: check WHM → Packages → Feature Manager and enable “Manage DNSSEC”. On GoZen shared hosting this is enabled by default
No DNSSEC option anywhere in WHM or cPanelServer is using BIND instead of PowerDNSBIND does not support DNSSEC in cPanel. Switch to PowerDNS under WHM → Service Configuration → Nameserver Selection
DNSSEC works but breaks after migrationKeys changed but DS record at registrar still has old valuesUpdate or remove the DS record at the registrar before migrating

What’s Next?

Last updated 20 Apr 2026, 00:00 +0300. history

Was this page helpful?