Watch the video tutorial
DNSSEC is the extension of the DNS protocol that allows signing DNS data
in order to secure the domain name resolving process. For general
information about DNSSEC and its usage, visit ICANN
website
and https://tools.ietf.org/html/rfc6781.
Note: The support for DNSSEC is available in Plesk for Linux. The Plesk
DNSSEC extension must be installed in Plesk by the hosting
provider.
You can do the following to protect DNS data of your domains with
DNSSEC:
- Sign and unsign domain zones according to DNSSEC specifications
- (Optionally) Specify custom settings to be used for generation of
keys - Receive notifications
- View and copy DS resource records
- View and copy DNSKEY resource record sets.
Signing a Domain Zone
To start using DNSSEC protection of your DNS zone, sign this zone. Plesk
signs the zone with an automatically generated signatures using two
pairs of asymmetric keys, the Key Signing Key (KSK) and the Zone Signing
Key (ZSK).
To sign a domain zone:
-
Select the domain in Websites & Domains.
-
Go to DNSSEC and click Sign the DNS Zone.
-
If the zone has never been signed before, Plesk prompts you to
generate the keys that will be used to create a signature.You can use the default values or specify custom values. See
Recommended Values below.
-
If you previously signed the DNS zone, you have the choice to use
previously generated keys or generate new ones. If you opt for new
keys, you can either use the default values or specify custom values.
See Recommended Values below.Recommended values of KSK and ZSK generation settings:
-
A long key and a long rollover period for the KSK.
Every time the Key Signing Key is updated, you need to update the
DS records in the parent zone. The recommended values help you to
update DS records as seldom as possible without…
-
with