Using DNSSEC (Linux)

Watch the video tutorial

DNSSEC is the extension of the DNS protocol that allows signing of DNS data in order to secure the domain name resolving process. For general information about DNSSEC and its usage, visit ICANN website and https://tools.ietf.org/html/rfc6781.

Plesk enables you to protect the DNS data of hosted domains with DNSSEC. You can do the following:

 

Requirements

 

Enabling DNSSEC Support

To enable the support for DNSSEC, install the Plesk DNSSEC extension (Extensions > Extensions Catalog).

2016-09-06_184223

  

Configuring Default DNSSEC Settings

The default DNSSEC settings are located in Tools & Settings > Extensions > DNSSEC. You can change the default policy for generating Key Singing Key (KSK) and Zone Signing Key (ZSK) pairs.

The recommended policy for KSK and ZSK:

When hosting customers sign their zones, they can use the default values or specify different values. For details, see Using DNSSEC on Domains.

2016-09-07_115530

  

Protecting DNS Zones with DNSSEC

To use DNSSEC, domain owners must sign their DNS zones. For details, see Using DNSSEC on Domains.

How Key Rollover Works in Plesk

In order to prevent DNS outage for a domain, Plesk uses more than one key as the KSK and more than one key as the ZSK. A previously generated key exists in parallel with a new key for some time, to allow all the changes in a DNS zone to take effect. Obsolete keys are removed automatically.

KSK rollover

Plesk uses a modification of the Double-RRset method for rolling over Key Signing Keys. The difference is that Plesk has two Key Signing Keys during each rollover period. This measure allows enough time for the domain zone owner to update the corresponding DS records in the parent zone (for example, the time period between rollover events 1 and 2 in the scheme below).

User actions at KSK rollover

The domain zone owner is notified about the rollover and about the need to update the DS records in the parent zone. The DS records become obsolete when the oldest KSK expires and the newest KSK is generated (for example, at rollover event 2 in the scheme below). If the domain zone owner did not update the DS records in the parent zone, then at the end of one rollover period after the notification the domain stops resolving.

Note: At the moment, the text of the domain zone owner notification cannot be customized.

KSK Rollover

ZSK rollover

To allow enough time for slave and caching DNS servers to sync with the master DNS server, Plesk does the following:

This certain time before or after a ZSK rollover is called a transition period in Plesk. The transition period is either 30 days or the sum of a zone's SOA TTL and SOA Expire values (if that sum is over 30 days). However, the transition period cannot be longer than half the ZSK rollover period, otherwise the rollover functionality would be disrupted and the zone signatures would become invalid.

Therefore, to make sure that ZSK rollover is performed correctly, Plesk sets limits on the following values:

User actions at ZSK rollover

No actions are required of the domain's DNS zone owner when Zone Signing Keys are rolled over.

ZSK Rollover