DNS Zone Manager

Valid for version 86

Version:

86

88

92


Last modified: May 13, 2020

Overview

This feature allows you to edit the records in a domain’s DNS (Domain Name System) zone file. DNS converts human-readable domain names (for example, example.com) to computer-readable IP addresses (for example, 192.0.0.1). To perform this function, DNS relies on zone records that exist on your server to map domain names to IP addresses.

Important:
  • We deprecated the MyDNS and NSD nameserver software in cPanel & WHM version 78 and plan to remove them in a future release. If you use either of these nameservers, we strongly recommend that you migrate to either the PowerDNS or BIND namesevers. For more information, read our cPanel Deprecation Plan documentation.

  • DNS zones that reside on other Write-only DNS servers in a DNS cluster do not appear in this interface.

Domains

The DNS Zone Manager interface displays all of your server’s domains. To filter the list, enter a name in the text box. For each listed domain, you can perform the following actions:

  • A Record — Create a new A record. When you select this record type, a new window will appear. Enter a valid DNS zone name in the Name text box and a valid IPv4 address in the Address text box. Click Add an A Record to save your changes.

  • CNAME Record — Create a new CNAME record. When you select this record type, a new window will appear. Enter a valid DNS zone name in the Name text box and a FQDN in the CNAME text box. Click Add a CNAME Record to save your changes.

  • MX Record — Create a new MX record. When you select this record type, a new window will appear. Enter the record’s priority value in the Priority text box and a FQDN in the Destination text box. Click Add an MX Record to save your changes.

  • DNSSEC — Manage the domain’s DNSSEC (Domain Name System Security Extensions) records. When you select this record type, the system directs you to the View DNSSEC Keys interface.

  • Manage — Add or edit additional domain records. When you select this setting, the system directs you to the Manage DNS Zone Records interface.

Manage DNS Zone Records

This interface displays a table with a list of the selected domain’s DNS zone records. To filter the list, enter a name in the text box or select a record type filter. You can also use this interface to add, edit, or delete the domain’s DNS zone record.

Add a DNS zone record

To add a DNS zone record, perform the following steps:

  1. Click Manage next to the domain you want to modify.

  2. Click Add Record. You can also click the arrow icon (Arrow Icon) and select the desired record type from the list.

  3. Enter the record information.

  4. Click Add Record.

DNS zone record types

When you add a new DNS zone record, you can select from the following types:

A

IPv4 Address Record — This record maps hostnames to IPv4 addresses. These records allow DNS servers to identify and locate your website and its various services on the Internet. Without appropriate A records, your visitors cannot access your website, FTP site, or email accounts.

AAAA

IPv6 Address Record — This record is the same as an A record, but maps hostnames to IPv6 addresses.

CAA

Certificate Authority Authorization Record — This record controls which certificate authorities (CA) can issue SSL certificates for a domain.

Note:
  • If no CAA records exist for a domain, all CAs can issue certificates for that domain. If conflicting CAA records already exist, remove the existing CAA records or add one for the desired CA.

  • MyDNS does not support this record type.

  • The system stores these records in the RFC 3597 format.

This record contains the following configuration settings:

  • Flag — Whether the CA will issue an SSL certificate if the CAA Resource Record contains unknown property tags. For more information about CAA record flags, read the RFC 6844 documentation.

    • 0 — Non-critical. The CA will issue an SSL certificate if the CAA Resource Record contains unknown property tags.

    • 1 — Critical. The CA will not issue an SSL certificate if the CAA Resource Record contains unknown property tags.

  • Tag — The CAA record’s property type:

    • issue — Authorize a CA to issue a certificate for the domain.

    • issuewild — Authorize a CA to issue a wildcard certificate for the domain.

    • iodef — Specify a URL to which a CA may report policy violations.

  • Value — The CA’s domain, or the CA’s URL if you select the iodef setting in the Tag section.

CNAME

Canonical Name Record — This record creates an alias for another domain name, which DNS resolves. This is useful, for example, if you point multiple CNAME records to a single A record in order to simplify DNS maintenance. When you add a CNAME record, enter the following information:

  • Name — A new or existing DNS zone name. When you enter a zone name, the system automatically appends the domain name to the zone record. For example, if you create the user zone, the system will add the example.com. domain information.

  • Record — Enter a fully-qualified domain name (FQDN). For example, the example2.com domain. You cannot point a CNAME record to an IP address.

When you are finished, click Add Record to save the new CNAME record.

DMARC

Domain-based Message Authentication, Reporting, and Conformance — This record indicates the action for a mail server to take when it receives an email from this domain, but that message fails SPF and DKIM checks.

Note:

This record type is only available via the Add Record menu. To select this record, click the arrow icon (Arrow Icon) by the Add Record button, then select Add “DMARC” Record from the list.

When you select this record type, the system creates a TXT record with a default DMARC record. The system also displays a form that allows you to define the domain’s DMARC Policy (None, Quarantine, or Reject), as well as the following optional parameters:

  • Subdomain Policy — The action the mail server will take when it receives an email from the domain’s subdomain. The server only takes this action if the email fails its SPF and DKIM checks.

    • None — Do not take any action.

    • Quarantine — Send spam email to a different folder on the account.

    • Reject — Reject spam email.

  • DKIM Mode — The Domain Keys Identified Mail (DKIM) level that the server enforces for the domain. An email must have a valid DKIM signature. The server will check a DKIM signature against the email’s From: domain entry. You can set the following identifier alignment settings:

    • Relaxed — Only the organizational domains must match. For example, an email from the domain.example.com subdomain of example.com would pass the DKIM check.

    • Strict — The domains must match exactly. For example, the server will accept email from the example.com domain, but it would reject email from the domain.example.com subdomain.

  • SPF Mode — The Sender Policy Framework (SPF) level that the server will enforce for the domain. The server sending email must pass SPF authorization. The server checks the server sending an email with the SMTP MAIL FROM command. The server then checks the MAIL FROM domain entry against the email’s From: domain entry. You can set the following identifier alignment settings:

    • Relaxed — Only the organizational domains must match. For example, an email from the domain.example.com subdomain of example.com would pass the SPF check.

    • Strict — The domains must match exactly. For example, the server will only accept email if the domain is example.com. It would reject an email from the domain.example.com domain.

  • Percentage — The percentage of emails that you want the server to filter.

  • Generate Failure Reports When — The error reporting policy between the sender and receiver’s Mail Transfer Agents.

  • Report Format — The format that the server uses to report an email’s possible spam status.

  • Report Interval — The amount of time, in seconds, that elapse between each aggregate email report. This parameter’s value defaults to 86400.

    Note:

    This value does not include email failure messages.

  • Send Aggregate Mail Reports To — A comma-separated list of Uniform Resource Identifiers (URIs) to which to send the aggregate email reports. If your URI includes a comma, you must URI-encode the comma. To add a size limit for the report, include an exclamation point, a number, and a file size unit to the end of the URI. For example: mailto:reports@example.com!50m. You can specify the following file size units:

    • k — Kilobytes.

    • m — Megabytes.

    • g — Gigabytes.

    • t — Terabytes.

  • Send Failure Reports To — A comma-separated list of URIs to which to send failure email reports.

MX

Mail Exchanger — This record identifies the servers that handle a domain’s email. Changes that you make to this record control where the server delivers a domain’s email. You can set the following values:

  • Priority — Identifies the servers that handle a domain’s email. This value for each MX record determines the order in which other mail servers will use the domain’s mail server. A lower value indicates a higher priority level. A value of 0 indicates the highest priority level.

  • Destination — The mail server. This must be a fully qualified domain name (FQDN).

SRV

Service Record — This record provides data about available services on specific ports on your server. You can set the following values:

  • Priority — The service record’s priority value. A lower value indicates a higher priority level. A value of 0 indicates the highest priority level.

  • Weight — This value ranks entries that share the same Priority value. For example, a record with a 0 priority level and an 8 weight value will rank lower than a record with a 0 priority level and 4 weight value.

  • Port — The service’s target port number.

  • Target — The service’s target hostname.

TXT

Text Record — This record contains text data for various services to read. For example, TXT records can specify data for SPF, DKIM, or DMARC email authentication.

Important:

The Record text box will accept invalid data. Make certain you enter the correct record information.

Note:

You can use WHM’s Email Deliverability interface (WHM >> Home >> Email >> Email Deliverability) to manage your server’s SPF and DKIM records.

Other Record Type

Use this setting to add or manage a record entry for one of the following record types:

  • AFSDB

  • DNAME

  • DS

  • HINFO

  • LOC

  • NAPTR

  • NS

  • PTR

  • RP

  • SOA

When you select this setting, the system directs you to the Edit DNS Zone interface (WHM >> Home >> DNS Functions >> Edit DNS Zone).

Edit a DNS zone record

To edit a DNS zone record, perform the following steps:

  1. Click Manage for the domain that you want to modify. A new interface will appear.

  2. Click Edit next to the record that you want to edit.

  3. Update the information in the text boxes.

  4. Click Save Record to save your changes, or click Cancel.

Delete a DNS zone record

To delete a DNS zone record, perform the following steps:

  1. Click Manage for the domain that you want to modify. A new interface will appear.

  2. Click Delete next to the record that you want to remove.

  3. Click Continue to delete the record, or click Cancel.

Reset DNS zone files

Important:

When you reset a zone file, the system removes all custom zone records. Make certain that you save any records you wish to keep before you perform this action.

To reset a domain’s DNS zone file, perform the following steps:

  1. Click Manage for the domain that you want to modify. A new interface will appear.

  2. In this interface, click the gear icon (Gear Icon) above the table of zone records.

  3. Select Reset Zone from the menu. A confirmation window will appear.

  4. Click Continue to reset the domain’s DNS zone file, or click Cancel.

View DNSSEC Keys

This interface lets you manage a domain’s DNSSEC keys. DNSSEC keys use digital signatures to strengthen DNS authentication. These digital signatures use public key cryptography to sign the DNS data. However, these digital signatures do not sign the DNS queries and responses.

The interface displays the following information:

  • Expand Arrow — This setting will display the following details about a DNSSEC key:

    • Algorithm — The DNSSEC key’s algorithm.

    • Status — Whether the key is active or inactive.

    • Deactivate — Deactivate the DNSSEC key. If you click this setting, a confirmation window will appear.

    • Delete — Delete the DNSSEC key. If you click this setting, a confirmation window will appear.

      Important:

      When you deactivate or delete a DNSSEC key, you must remove the Domain Server (DS) record at your domain registrar. For more information about some popular domain registrars, read the Domain registrar DS records section.

  • Key Tag — An integer value that identifies the domain’s DNSSEC record.

  • Key Type — Whether the key configuration is ZSK, CSK, or KSK.

  • Algorithm — The algorithm type that constructs the digests.

  • Created — The key’s creation date.

You can also perform the following actions for each DNSSEC key:

  • View DS Records — Display the domain’s DS records. The DNSSEC Key Details interface will appear.

  • Export — Export the domain’s DNSSEC key. The Export DNSSEC Key interface will appear.

Create Key

This feature lets you create a new DNSSEC key. You can select whether to create a system-generated key, or create a customized DNSSEC key.

Important:

When you create a domain DNSSEC key, you must configure a DS record with your domain registrar. For more information about some popular domain registrars, read the Domain registrar DS records section.

Quick DNSSEC key creation

To quickly create a DNSSEC key, perform the following steps:

  1. Click Create Key. A confirmation window will appear.

  2. Click Create. The DNSSEC Key Details interface will appear with the keys’ details.

Custom DNSSEC key creation

To create a custom DNSSEC key with a stronger algorithm, perform the following steps:

  1. Click Create. A confirmation window will appear.

  2. Click Customize. The Create DNSSEC Keys interface will appear.

  3. In the Key Setup section, select the desired DNSSEC key configuration:

    • Classic — Create with a ZSK (Zone Signing Key) and a KSK (Key Signing Key) keypair.

    • Simple — Create with a CSK (Combined Signing Key), which the system will use as both the ZSK and KSK. This setting disables the RSA/SHA-256 (Algorithm 8) and RSA/SHA-512 (Algorithm 10) settings in the Algorithm section.

  4. In the Algorithm section, select the desired algorithm:

    • RSA/SHA-256 (Algorithm 8)

    • RSA/SHA-512 (Alroithm 10)

    • ECDSA Curve P-256 with SHA-256 (Algorithm 13)

    • ECDSA Curve P-384 with SHA-384 (Algorithm 14

  5. In the Status section, select whether to activate the newly-generated key.

  6. Click Create Key. An interface will appear with the new key’s details.

  7. To enable DNSSEC for your domain, you must go to your domain registrar. Use the information provided in this interface to fill out their DNSSEC forms. For more information about some popular domain registrars, read the Domain registrar DS records section.

Import Key

This feature lets you import a DNSSEC key. When you select this setting, the system directs you to the Import DNSSEC Key interface. In this interface, you can perform the following steps:

  1. In the Key Type menu, select whether to import a key as a Key Signing Key (KSK) or Zone Signing Key (ZSK).

  2. Enter the DNSSEC key’s details in the text box provided in the Key section.

  3. Click Import to import the DNSSEC key. A confirmation interface will appear.

Export

This feature provides the information you need to export a DNSSEC key. When you select this setting, the system directs you to the Export DNSSEC Key interface. This interface displays the following details about a domain’s DNSSEC key:

  • Domain — The domain in the DNS record.

  • Key Tag — An integer value that identifies the domain’s DNSSEC record.

  • Key Type — Whether the key is ZSK, CSK, or KSK.

  • Key — The DNSSEC key. Click Copy to copy the key to your computer’s clipboard.

View DS Records

This feature allows you to view a DNSSEC key’s details. When you select this setting, the system directs you to the DNSSEC Key Details interface. This interface displays the following information:

  • Domain — The domain in the DNS record.

  • Key Tag — An integer value that identifies the domain’s DNSSEC record.

  • Algorithm — The algorithm type that constructs the digests.

  • Created — The key’s creation date.

  • Digests — The alphanumeric strings the algorithm generates.

To add a DS Record to the domain’s registrar, perform the following steps:

  1. Determine the digest type that your registrar uses.

  2. Click Copy for the appropriate digest record.

  3. Visit your registrar’s website and add the information that they request for your domain. For more information about some popular domain registrars, read the Domain registrar DS records section.

Domain registrar DS records

Any time you create, modify, or remove a domain’s DNSSEC key, you must configure a Domain Server (DS) record with your domain registrar. The following are some of the most popular domain registrars. Visit their website to read their DNSSEC management documentation.

Additional Documentation