In this guide, we will explain how to sign a domain zone in Plesk. To enable DNSSEC protection for your DNS zone, you need to sign the zone. Plesk automatically generates signatures using two pairs of asymmetric keys-
the Key Signing Key (KSK) and the Zone Signing Key (ZSK).
Here is how to sign a domain zone –
- In the “Websites & Domains” section of Plesk, select the domain you want to sign.
- Select a domain and click on the “DNSSEC” option.
- Navigate to the “DNSSEC” section and click on “Sign the DNS Zone.”
- If the zone has never been signed before, Plesk will prompt you to generate the keys needed for the signature. You can either use the default values or specify custom values. See the “Recommended Values” section below for guidance.
- If you have previously signed the DNS zone, you have the option to either continue using the previously generated keys or generate new ones. If you choose to generate new keys, you can either stick with the default values or specify custom ones. Here are the recommended values for the Key Signing Key (KSK) and Zone Signing Key (ZSK) generation settings –
- KSK (Key Signing Key) –
- Use a long key and a long rollover period for the KSK.
- Updating the Key Signing Key requires updating the DS records in the parent zone. The recommended values help minimise the need for DS record updates without compromising security.
- ZSK (Zone Signing Key)-
- Use a shorter key and a shorter rollover period for the ZSK.
- The Zone Signing Key is updated automatically. The recommended values help conserve system resources without compromising security.
- KSK (Key Signing Key) –
- After completing the signing procedure, Plesk will display DS records containing hashes of the Key Signing Keys used for signing the zone. Copy these DS resource records to the clipboard and then add them to the parent domain zone.
This way, you can sign a domain zone in Plesk. Hope you liked our article. For the latest updates, don’t forget to check our latest Windows Hosting plans regularly.
