How to Rotate a DNSSEC Key

Valid for versions 86 through the latest version





Last modified: September 28, 2020


This document describes how to rotate a domain’s DNS Security Extensions (DNSSEC) keys on a server. You can rotate your domains’ DNSSEC keys regularly to increase your DNS record’s security.

For more information about DNSSEC in cPanel & WHM, read our DNSSEC documentation.

  • We recommend that you rotate your domain’s DNSSEC keys yearly.

  • The system includes DNSSEC keys in an account’s backup file. You do not need to create new DNSSEC keys if you transfer the account to another server. For more information, read our Backup Tarball Contents documentation.

  • For more information about DNSSEC key rotation, we strongly suggest that you read the RFC 6781 documentation.

Rotate the key

(on PowerDNS 4.2)

To rotate a DNSSEC key, perform the following steps:

  1. Navigate to cPanel’s Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor).

  2. For the domain that you wish to manage, click DNSSEC. The DNSSEC interface will appear. It will will display a recommendation for when you should rotate this key.

  3. Generate a new DNSSEC key for the domain.

  4. Navigate to your domain registrar and enter the new DNSSEC key information for the domain.

    Many registrars provide a Manage DNSSEC option in their domain management portals. If they do not provide that option, you must manually add a DS record through their management portal.

  5. Wait 24 to 48 hours for the DS record to propagate.

  6. Remove the old DNSSEC key information for the domain from the registrar.

  7. Navigate to cPanel’s Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor) and delete the old DNSSEC key.

Additional Documentation