Watch the video tutorial

DNSSECClosed DNSSEC is designed to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data, such as that created by DNS cache poisoning. All answers from DNSSEC protected zones are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server. is the extension of the DNSClosed The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. A Domain Name Service resolves queries for these names into IP addresses for the purpose of locating computer services and devices worldwide. By providing a worldwide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet. protocol that allows signing DNS data in order to secure the domain name resolving process. For general information about DNSSEC and its usage, visit ICANN website and https://tools.ietf.org/html/rfc6781.

You can do the following to protect DNS data of your domains with DNSSEC:

Signing a Domain Zone

To start using DNSSEC protection of your DNS zone, sign this zone. PleskClosed Plesk Panel is the preferred choice for hosting service providers, web designers, and website owners. Plesk Obsidian 18 is the latest release from Plesk and offers a range of new benefits and features for every user type. signs the zone with an automatically generated signatures using two pairs of asymmetric keys, the Key Signing Key (KSK) and the Zone Signing Key (ZSK).

To sign a domain zone:

  1. Select the domain in Websites & Domains.
  2. Go to DNSSEC and click Sign the DNS Zone.
  3. If the zone has never been signed before, Plesk prompts you to generate the keys that will be used to create a signature.

    You can use the default values or specify custom values. See Recommended Values below.


  4. If you previously signed the DNS zone, you have the choice to use previously generated keys or generate new ones. If you opt for new keys, you can either use the default values or specify custom values. See Recommended Values below.

    Recommended values of KSK and ZSK generation settings:

    • A long key and a long rollover period for the KSK.
    • Every time the Key Signing Key is updated, you need to update the DS records in the parent zone. The recommended values help you to update DS records as seldom as possible without decreasing security.
    • A shorter key and a shorter rollover period for the ZSK.

      The Zone Signing Key is updated automatically. The recommended values help you to save system resources without decreasing security.


  5. In the end of the signing procedure, Plesk displays DS records, which contain hashes of the Key Signing Keys used for signing the zone.

    Copy the DS resource records to Clipboard and then add them to the parent domain zone. See Updating the DS Records in the Parent Zone below.


Updating the DS Records in the Parent Zone

If the parent zone contains outdated DS records, the domain name is no longer resolved by the DNS service.

You will need to manually add or update DS records in the parent domain zone in all cases when DNSSEC keys were updated, namely:

Plesk sends you notifications and gives you some time to update the DS records - this period of time is equal to one KSK rollover period. During this period, the previous DS records are still valid.

If you unsigned the domain zone, you need to manually delete DS records in the parent domain zone.

To update DS records in the parent zone:

For a domain in Plesk, whose parent zone is outside Plesk, update DS records at the domain’s registrar.

For a subdomain of a domain hosted in Plesk and having the DNS zone in Plesk:

  1. Go to DNS settings of the parent domain (Websites & Domains > go to the parent domain > DNS Settings).
  2. Add new records of the DS type (Add Record) and paste the values that Plesk displays in the DS resource records box in the DNSSEC settings of the subdomain.

Unsigning a Domain Zone

Unsigning a domain zone turns off DNSSEC protection for that zone. You may need to unsign a zone if the keys were compromised, and then sign the zone again using new keys.

To unsign a domain zone:

  1. Go to Websites & Domains > select a domain > DNSSEC and click Unsign.
  2. Delete the DS resource records from the parent zone. Otherwise, the domain will not resolve.

Note: When you unsign a zone, the keys are not deleted from Plesk. You can sign the zone again using the same keys.

Viewing DNSKEY Resource Records

You might need to retrieve DNSKEY resource records, which contain public parts of Key Signing Keys used by a domain.

To display DNSKEY records:

  1. Go to Websites & Domains > select a domain > DNSSEC.
  2. Click View DNSKEY Records.