cPanel/DNSSEC
cPanel module

DNSSEC

12 functions, invoked through the cpanel_uapi tool.

scope cpanel:uapi
Call any function with cpanel_uapi(service_id, module="DNSSEC", function, params). Live availability depends on the cPanel features JetHost has enabled on your account — call list_cpanel_operations to see what is active.

activate_zone_key GET#

Enable DNSSEC security key

This function activates a DNSSEC security key.

Important:

When you disable the DNS role, the system disables this function.

domainstringRequired
The security key's domain.
key_idintegerRequired
The security key's ID.

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

domainstring
The domain for which the system activated a security key.
errorstring
An error message that describes why the system could not activate the security key. Note: The function only displays this return when the success return is a 0 value.
key_idstring
The security key's ID.
successinteger
Whether the system activated the security key. 1 - Activated. 0 - The system failed to activate the security key.
One of: 1 0

add_zone_key GET#

Create DNSSEC security key

This function generates a DNSSEC zone key for a domain.

Note:

  • After you enable DNSSEC on the domain, you must add the DS records to your registrar.
  • You cannot modify the DNSSEC security key. To make any changes, you must disable (and delete) and re-create the DNSSEC security key.

Important:

When you disable the DNS role, the system disables this function.

algo_numintegerRequired
The algorithm that the system uses to generate the security key. 5 — RSA/SHA-1 6 — DSA-NSEC3-SHA1 7 — RSASHA1-NSEC3-SHA1 8 — RSA/SHA-256 10 — RSA/SHA-512 13 — ECDSA Curve P-256 with SHA-256 * 14 — ECDSA Curve P-384 with SHA-384 Note: We recommend that you use 'ECDSA Curve P-256 with SHA-256' if your registrar supports it.
domainstringRequired
The domain on which to enable DNSSEC.
key_typestringRequired
The type of key to add. ksk zsk
activeintegerOptional
Whether to activate the newly-created key. 1 — Activate the key. 0 — Do not activate the key.
key_sizeintegerOptional
The key's size, in bits. Note: For the following algo_num and key_type parameters, the key_size defaults to the following values: 5 — ksk 2048 zsk 1024 6 — ksk 2048 zsk 1024 7 — ksk 2048 zsk 1024 8 — ksk 2048 zsk 1024 10 — ksk 2048 zsk 1024 13 — ksk 256 zsk 256 * 14 — ksk 384 zsk 384

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

domainstring
The domain for which the system added a security key.
errorstring
An error message that describes why the system could not add the security key. Note: The function only displays this return when the success return is a 0 value.
new_key_idstring
The security key's ID.
successinteger
Whether the system added the security key. 1 — The system added the security key. 0 — The system failed to add the security key.
One of: 1 0

deactivate_zone_key GET#

Disable DNSSEC security key

This function deactivates a DNSSEC security key.

Important:

When you disable the DNS role, the system disables this function.

domainstringRequired
The security key's domain.
key_idintegerRequired
The security key's ID.

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

domainstring
The domain for which the system deactivated a security key.
errorstring
An error message that describes why the system could not deactivate the security key. Note The function only displays this return when the success return is a 0 value.
key_idstring
The security key's ID.
successinteger
Whether the system deactivated the security key. 1 - Deactivated. 0 - The system failed to deactivate the security key.
One of: 1 0

disable_dnssec GET#

Disable DNSSEC

This function disables DNSSEC on the domain.

Warning:

  • This action is irreversible. If you disable DNSSEC on the domain, you will lose the associated keys. You can only retrieve the previous state with a full backup.
  • If you disable DNSSEC, you must remove the DNS records at the registrar.

Important:

When you disable the DNS role, the system disables this function.

domainstringRequired
The domain on which to disable DNSSEC. Note: To enable DNSSEC on multiple domains, increment the parameter name. For example: domain-0, domain-1, domain-2.

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

disabledobject
An array of objects that contain the domains for which the system disabled DNSSEC.
additionalPropertiesinteger
Information about the domains for which the system disabled DNSSEC. 1 — Disabled. 0 — The system failed to disable DNSSEC. Note: This return's name is the domain parameter's value.
One of: 0 1

enable_dnssec GET#

Enable DNSSEC

This function enables DNSSEC on the domain.

Note:

  • After you enable DNSSEC on the domain, you must add the DNS records to your registrar.
  • You cannot modify the DNSSEC security key. To make any changes, you must disable (and delete) and re-create the DNSSEC security key.

Important:

When you disable the DNS role, the system disables this function.

domainstringRequired
The domain on which to enable DNSSEC. Note: To enable DNSSEC on multiple domains, increment the parameter name. For example: domain-0, domain-1, domain-2.
activeintegerOptional
Whether to activate the newly-created key. 1 — Activate the key. 0 — Do not activate the key.
algo_numintegerOptional
The algorithm that the system uses to generate the security key. 5 — RSA/SHA-1 6 — DSA-NSEC3-SHA1 7 — RSASHA1-NSEC3-SHA1 8 — RSA/SHA-256 10 — RSA/SHA-512 13 — ECDSA Curve P-256 with SHA-256 * 14 — ECDSA Curve P-384 with SHA-384 Note: We recommend that you use ECDSA Curve P-256 with SHA-256 if your registrar supports it.
key_setupstringOptional
The manner in which the system creates the security key. simple — Use a single key for both KSK and ZSK. Use this value when the algo_nom parameter is greater than 8. classic — Use separate keys for KSK and ZSK. Use this value when the algo_nom parameter is equal to or less than 8.
nsec3_iterationsintegerOptional
The number of times that the system rehashes the first resource record hash operation. A positive integer less than 501. Note: In cPanel & WHM version 132 and earlier, the default value is 7.
nsec3_narrowintegerOptional
Whether NSEC3 will operate in Narrow or Inclusive mode. In Narrow mode, PowerDNS sends out white lies about the next secure record. Rather than query the resource record in the database, PowerDNS sends the hash plus 1 as the next secure record. 1 — Narrow mode. 0 — Inclusive mode.
nsec3_opt_outintegerOptional
Whether the system will create records for all delegations. 1 — Create records for all delegations. 0 — Create records only for secure delegations. Note: Only select 1 if you must create records for all delegations.
nsec3_saltstringOptional
A hexadecimal string that the system appends to the domain name before it applies the hash function to the name. For more information about the salt value, read the RFC 5155 documentation. NOTE: In cPanel & WHM version 132 and later, this parameter also accepts the literal value - to indicate that no salt should be used. If you do not declare a value, the system defaults to no salt. In cPanel & WHM version 130 and earlier, if you did not declare a value, the system defaulted to a random 64-bit value.
use_nsec3integerOptional
Whether the domain will use Next Secure Record (NSEC) or NSEC3 semantics. 1 — Use NSEC3 semantics. 0 — Use NSEC semantics. Note: If you use NSEC semantics (0), the system ignores the other NSEC3 options.

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

enabledobject
An object containing information about the domains for which the system enabled DNSSEC.
additionalPropertiesobject
Information about the domain for which the system enabled DNSSEC. Note: This return's name is the domain parameter's value.
enabledinteger
Whether the system enabled DNSSEC. 1 — The system enabled DNSSEC. 0 — The system failed to enable DNSSEC.
One of: 1 0
new_key_idinteger
The assigned security key ID.
nsec_versionstring
The version of DNSSEC the system used. NSEC3 NSEC
One of: NSEC3 NSEC

export_zone_dnskey GET#

Export DNSKEY record value

This function exports a domain's DNSKEY record value.

Important:

When you disable the _DNS_ role, the system disables this function.

domainstringRequired
The domain from which to fetch the DNSKEY record value.
key_idintegerRequired
The DNSSEC record's ID.

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

dnskeystring
The DNSKEY record value.
key_idinteger
The DNSSEC record's ID.
successinteger
Whether the DNSKEY record exported successfully. 1 - The system exported the record successfully. 0 - The system failed to export the record.
One of: 0 1

export_zone_key GET#

Export DNSSEC security key

This function exports a DNSSEC security key.

Important:

When you disable the DNS role, the system disables this function.

domainstringRequired
The security key's domain.
key_idintegerRequired
The security key's ID.

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

domainstring
The security key's domain.
key_contentstring
The content of the key, which includes the algorithm.
key_idinteger
The security key's ID.
key_taginteger
The security key's internal identifier.
key_typestring
The security key's signing type. CSK - Combined Signing Key. KSK - Key Signing Key. * ZSK - Zone Signing Key.
One of: CSK KSK ZSK
successinteger
Whether the function succeeded. 1 - The function succeeded. 0 - The function failed.
One of: 0 1

fetch_ds_records GET#

Return domain's DS records

This function fetches a domain's Delegation of Signing (DS) records.

Important:

When you disable the DNS role, the system disables this function.

domainstringRequired
The domain from which to fetch DS records. Note: To enable DNSSEC on multiple domains, increment the parameter name. For example: domain-0, domain-1, domain-2.

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

additionalPropertiesobject
An object containing the domain's DS record information. Note: The return's name is the domain's name.
keysobject
The DS keys on the requested domain.
additionalPropertiesobject
The information related to the domain's DNSSEC record. Note: The return's name is the key_tag return's integer value.
nsec_detailsobject
An object containing the Next Secure Record (NSEC) information for the selected domain. Note: If the domain uses NSEC semantics, only the nsec_version return appears in the object.
nsec3_hash_algo_descstring
A description of the NSEC3 key's algorithm.
nsec3_hash_algo_numinteger
The DNSSEC Digest Algorithm Number.
nsec3_iterationsinteger
The number of times that the system rehashes the first hash operation.
nsec3_narrowinteger
Whether NSEC3 will operate in Narrow or Inclusive mode. 1 - Narrow mode. 0 - Inclusive mode. Note: For more information about these modes, read PowerDNS's DNSSEC documentation.
One of: 0 1
nsec3_opt_outinteger
Whether NSEC3 will create records for all delegations or only for secure delegations. 1 - Create records for all delegations. 0 - Create records only for secure delegations.
One of: 0 1
nsec3_saltstring
The salt value that PowerDNS uses in the hashes. Note: For more information about the salt value, read RFC 5155.
nsec_versionstring
Whether the domain uses NSEC or Next Secure Record version 3 (NSEC3) Domain Name Security Extensions (DNSSEC) semantics. NSEC NSEC3
One of: NSEC NSEC3

import_zone_key GET#

Add DNSSEC security key

This function imports a DNSSEC security key.

Important:

When you disable the DNS role, the system disables this function.

domainstringRequired
The security key's domain.
key_datastringRequired
The security key data that the pdnsutil utility's export-zone-key call returns.
key_typestringRequired
The security key's type. ksk zsk

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

domainstring
The domain for which the system imported the zone key.
errorstring
An error message that describes why the system could not import the security key. Note: The function only displays this return when the success return is a 0 value.
new_key_idstring
The security key's ID.
successinteger
Whether the system imported the security key. 1 - The system imported the security key. 0 - The system failed to import the security key.
One of: 0 1

remove_zone_key GET#

Remove DNSSEC security key

This function removes a DNSSEC security key.

Important:

When you disable the DNS role, the system disables this function.

domainstringRequired
The security key's domain.
key_idintegerRequired
The security key's ID.

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

domainstring
The domain for which the system removed a security key.
errorstring
An error message that describes why the system could not remove the security key. Note: The function only displays this return when the success return is a 0 value.
key_idstring
The security key's ID.
successinteger
Whether the system removed the security key. 1 — The system removed the security key. 0 — The system failed to remove the security key.
One of: 1 0

set_nsec3 GET#

Update domain to use NSEC3

This function configures the domain to use Next Secure Record 3 (NSEC3) semantics.

Important:

When you disable the DNS role, the system disables this function.

domainstringRequired
The domain on which to enable NSEC3 semantics.
nsec3_iterationsintegerRequired
The number of times that the system re-executes the first resource record hash operation.
nsec3_narrowintegerRequired
Whether NSEC3 will operate in Narrow mode or Inclusive mode. In Narrow mode, PowerDNS sends out white lies about the next secure record. Rather than query the resource record in the database, PowerDNS sends the hash plus 1 as the next secure record. 1 - Narrow mode. 0 - Inclusive mode.
nsec3_opt_outintegerRequired
Whether the system will create records for all delegations. 1 - Create records for all delegations. 0 - Create records only for secure delegations. Note: Only select 1 if you must create records for all delegations.
nsec3_saltstringRequired
The salt value that PowerDNS uses in the hashes. For more information about the salt value, read the RFC 5155 documentation. Note: In cPanel & WHM version 132 and later, this parameter also accepts the literal value - to indicate no salt value.

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

enabledobject
Contains the domains for which the system enabled NSEC3. Note: This return's name is the domain parameter's value.

unset_nsec3 GET#

Update domain to use NSEC

This function configures the domain to use Next Secure Record (NSEC) semantics instead of Next Secure Record 3 (NSEC3) semantics.

Important:

When you disable the DNS role, the system disables this function.

domainstringRequired
The domain on which to disable NSEC3 semantics and use NSEC semantics.

Response — normalized as { ok, data, errors[], warnings[] }; data contains:

disabledobject
A list of the domains for which the system disabled NSEC3.
additionalPropertiesinteger
Whether the system disabled NSEC3 on the domain. 1 — Disabled. 0 — The system failed to disable NSEC3. Note: This return's name is the domain parameter's value.
One of: 1 0