Atomia User Panel

Enable DNSSEC for domains

7 views 0

How to enable DNSSEC to allow users in Atomia to use it with their domains


With this setup, a user is able to check DNSSEC status of his domain and to enable or disable it. The option is available from Domain manager page when Edit action is clicked:


Image 1: View of the DNSSEC tab while editing a domain on the Domain manager page in the User Panel.


We say that domain is hosted in Atomia system if the following conditions are met:

  • All domain name servers are Atomia name servers
    In practical terms this means that name servers listed on the Name servers tab (while editing a domain on the Domain manager page) have to match those listed in the Resource description (Nameservers property of the DNS resource).
  • There is a domain zone entry on Atomia nameservers
    In practical terms this means there must be a website for the domain. This includes all website types such as Windows/IIS, Linux/Apache or even a No website type. All the different types are listed on the websites page.

If all the conditions are met, then DNSSEC tab is displaying what is visible on Image 1 above. It is also possible to disable DNSSEC for a domain from the DNSSEC tab once it is enabled.

External DNSSEC

In case a domain is not hosted, it is considered external. External DNSSEC is displayed for such domains in the DNSSEC tab.

Keep in mind

There is one more type of domain beside hosted and external. This is the case when domain is registered externally (doesn’t exist on a domain manager page) but is pointing to Atomia name servers. In this case a user can add website and edit DNS records for that domain in Atomia.

DNSSEC then needs to be enabled from that third-pary system which was used for domain registration and name server update.

However, in order to setup DNSSEC properly, user will need to add DS/DNSSEC records in Atomia via DNS page.

There are several possible scenarios in this case:

  1. There are no DS records in the domain zone and no published DS records on the registry/registrar
    External DNSSEC with no available records
    There is nothing to do in this scenario. User needs to add DS/DNSKEY records in the domain zone (on a third party name servers or in Atomia in case he just forgot to add website to a domain).
  2. There are DS records in the domain zone, but no published DS records on the registry/registrar
    External DNSSEC with available record from the zone
    This is the most common scenario. To publish the record from the domain zone user needs to check the record and click on the Update DS records button.
  3. There are records in the domain zone and matched published records on registry/registrar
    External DNSSEC with published record from the zone
    This scenario usually happens after the record is published as explained in the scenario 2. Clicking on the Update DS records button while the records are un-checked will un-publish them (remove them from the registry/registrar).
  4. There are published records on registry/registrar but there are no matching records in the domain zone
    External DNSSEC with published record and no matching record in the zone
    This is not a common scenario. In this case a matching record should be added to the domain zone. Or a published record should be removed (by un-checking the record and clicking on the Update DS records button).

Good to know

To get the the domain zone records for an external domain, Atomia will parse the output of the following dig command (on a Domainreg server):

dig +trace dnskey

If user just added the record in the domain zone, it may take some time for DNS cache to clear before this command returns something

Before you begin

The Domainreg plug-in as well as the registrar/registry that is being used has to support DNSSEC for domains.

AtomiaDNS should be installed and initial DNSSEC keyset should be added (see Creating the initial DNSSEC keyset for instructions).

Domainreg should be configured to use AtomiaDNS (atomiadns_soap_* parameters in the config file) and then hosted_dnssec_delegation_filter and supports_dnssec configuration parameters should be set up. Make sure you fetched keys from AtomiaDNS and import them in Domainreg.

Configure DNSSEC options

To enable the DNSSEC functionality on the Domain Manager page a couple of settings must be edited in the file C:\Program Files (x86)\Atomia\HostingControlPanel\bin\Atomia.Web.Plugin.Domains.DomainManager.Core.dll.config.

  • A DNSSECVisible and DNSSECEnabled values have to be set to true.
    <pluginSetting name="DNSSECEnabled" value="true" />
    <pluginSetting name="DNSSECVisible" value="true" />
  • The Enable DNSSEC button is available only for supported TLDs. These TLDs are configurable in the same file by adding them as comma separated list:
    <pluginSetting name="DNSSECSupportedTLDs" value=".info,.net,.eu" />
  • To allow users to disable DNSSEC once it is enabled, a ShowDisableDNSSEC value has to be set to true
    <pluginSetting name="ShowDisableDNSSEC" value="true" />


When working with configuration files in Atomia software, it is important that you edit them through transformation files. Please consult our documentation before editing any configuration files. If the files are edited directly the changes will be overwritten by any updates to Atomia.

Useful tip

To automatically enable DNSSEC for a newly registered (hosted) domain, place ProvisioningDescription.EnforceDNSSEC.xml transformation file in C:\Program Files (x86)\Atomia\AutomationServer\Common\ProvisioningDescriptions\Transformation Files folder.

Was this helpful?