How to Rotate a DNSSEC Key
This document describes how to rotate a domain’s DNS Security Extensions (DNSSEC) keys on a server. You can rotate your domains’ DNSSEC keys regularly to increase your DNS record’s security.
- We recommend that you rotate your domain’s DNSSEC keys yearly.
- If you transfer the account to another server, you must create new DNSSEC keys for the account and update the registrar with the new keys. The system does not include DNSSEC keys in an account’s backup file.
DNSSEC keys remain on a server after you terminate an account. If you restore an account on the same server from which you deleted it, the account’s DNSSEC keys remain valid.
- For more information about DNSSEC key rotation, we strongly suggest that you read the RFC 6781 documentation.
Rotate the key
To rotate the DNSSEC key, perform the following steps:
- Add a new Key Sign Key (KSK) to the domain’s DNS zone. To do this, run the following command:
pdnssec add-zone-key example.com ksk 2048 active
The output will resemble the following example:
Added a KSK with algorithm = 8, active=1
Requested specific key size of 2048 bits
example.comrepresents your domain.
- Increase the DNS zone’s Start of Authority (SOA) serial number.
- Review the updated zone’s DNSSEC details for the Domain Server (DS) records that correspond to the new key. To do this, run the following command:
pdnssec show-zone example.com
Thie output resembles the following example:Click to view…
- Add a new DS record for the domain through your nameserver registrar. To do this, follow the directions in our How to Set Up Nameservers in a cPanel Environment documentation.
- Wait 24 to 48 hours for the DS record to propagate.
If you do not wait for the DS record to propagate, your domain may experience DNS resolution issues.
- Remove the domain’s old KSK. To do this, run the following command:
pdnssec remove-zone-key example.com key-id
keyidrepresents the old KSK’s key ID. The
pdnssec show-zonecommand’s output contains the key’s ID.