In the event you missed it, we published a blog post back in December of 2018, announcing the deprecation of MyDNS and NSD. Now that PowerDNS has been the choice DNS Management tool of cPanel & WHM for several versions, the request for DNSSEC (Domain Name System Security Extensions) clustering has become even more popular. 

Well, you’ve been asking for it, and we’re ready to deliver it. Coming with cPanel & WHM Version 84 and beyond, we are offering DNSSEC Clustering with PowerDNS.

DNSSEC gives users protection from a litany of attacks, such as DNS spoofing or Man-in-the-Middle Attacks. Designed as a scalable distributed system, DNSSEC was built to protect applications and in turn, the caching resolvers that serve those applications. Digital signatures using public-key cryptography to sign DNS data are the critical component of DNSSEC’s DNS authentication strengthening ability. Answers to queries from DNSSEC protected zones are digitally signed, giving the DNS resolver the ability to check that the information is complete and unmodified from the zone owner published information and served on an authoritative DNS server.

DNSSEC combined with our DNS Clustering feature, provides the means to add security to your DNS clusters, using digital signatures and cryptographic keys to validate that DNS responses are authentic, thereby creating a “chain of trust.” This includes notifications for the system administrator with the assurance that the zone records and DNSSEC are validated and working for cluster members, or notice that there is an issue. Essentially, DNSSEC complicates the manipulation of information that passes through DNS.

With the launch of Version 84, we’ve added the ability to change a DNS server’s nameserver software in WHM’s DNS Cluster interface (WHM >> Home >> Clusters >> DNS Cluster), allowing a user to upgrade their DNS cluster members from BIND to PowerDNS by clicking the Upgrade link in the Status column of the Servers in your DNS Cluster table. We’ve also added error handling for misconfigured DNS clusters, as well as DS record validity checks. Additional DNSSEC clustering performance improvements are expected in upcoming versions as we continue development.

For those cPanel users enabling DNSSEC, the Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor) has received some upgrades as well. This interface now includes modernized keys tables, which allow for KSK (Key Signing Key) and CSK (Combined Signing Key) to be viewed separately from ZSKs (Zone Signing Keys).

When adding DNSSEC keys to a user’s Zone Records, you have the choice to either add existing keys through the Import functionality or generate new keys. When generating a new DNSSEC Key, you can select what type of Key Setup and Algorithm to use.

If you’d like to discuss the benefits of DNSSEC or have questions about upgrading to PowerDNS, or any of the other topics covered, please join us in our cPanel Official Slack and Discord channels, or follow our official cPanel subreddit!