Watch the video tutorial
DNSSEC is the extension of the DNS protocol that allows signing of DNS
data in order to secure the domain name resolving process. For general
information about DNSSEC and its usage, visit ICANN
website
and https://tools.ietf.org/html/rfc6781.
Plesk enables you to protect the DNS data of hosted domains with DNSSEC.
You can do the following:
- Configure the settings used for key generation and rollover.
- Sign and unsign domain zones according to the DNSSEC specifications.
- Receive notifications.
- View and copy DS resource records.
- View and copy DNSKEY resource record sets.
Requirements
- Plesk for Linux with the Bind DNS server, starting from Bind 9.9.
- DNSSEC is a paid extension. It is included for free in Plesk Web Host
and Plesk Web Pro editions. - DNSSEC is available on Debian 8, Debian 9, Ubuntu 16.04, Ubuntu 18.04, CentOS
7, RedHat Enterprise Linux 7, CloudLinux 7, Virtuozzo Linux 7.
Enabling DNSSEC Support
To enable the support for DNSSEC, install the Plesk DNSSEC extension
(Extensions > Extensions Catalog).
Configuring Default DNSSEC Settings
The default DNSSEC settings are located in Tools & Settings >
Extensions > DNSSEC. You can change the default policy for
generating Key Singing Key (KSK) and Zone Signing Key (ZSK) pairs.
The recommended policy for KSK and ZSK:
-
Use a long key and a long rollover period for the KSK (Key Signing
Key).Every time the Key Signing Key is updated, the zone owner needs to
update the DS records in the parent domain zone. The recommended
policy helps to update DS records in the parent zone as seldom as
possible without decreasing security. -
Use a shorter key and a shorter rollover period for the ZSK (Zone
Signing Key).The Zone Signing Key is updated automatically. The recommended policy
helps to save system resources without decreasing security.
When hosting customers sign their zones, they can use the default values
or specify different values. For details, see Using DNSSEC on
Domains.
with