Atomia User Panel

Enable DNSSEC for domains

16 views 0

How to enable DNSSEC to allow users in Atomia to use it with their domains


With this setup, a user is able to check DNSSEC status of his domain and to enable or disable it. The option is available from Domain manager page when Edit action is clicked:


Image 1: View of the DNSSEC tab while editing a domain on the Domain manager page in the User Panel.


We say that domain is hosted in Atomia system if the following conditions are met:

  • All domain name servers are Atomia name servers
    In practical terms this means that name servers listed on the Name servers tab (while editing a domain on the Domain manager page) have to match those listed in the Resource description (Nameservers property of the DNS resource).
  • There is a domain zone entry on Atomia nameservers
    In practical terms this means there must be a website for the domain. This includes all website types such as Windows/IIS, Linux/Apache or even a No website type. All the different types are listed on the websites page.

If all the conditions are met, then DNSSEC tab is displaying what is visible on Image 1 above. It is also possible to disable DNSSEC for a domain from the DNSSEC tab once it is enabled.

External DNSSEC

In case a domain is not hosted, it is considered external. External DNSSEC is displayed for such domains in the DNSSEC tab. There are two possible scenarios:

1. Atomia has the DNS master data (DNS is hosted with Atomia), but Atomia is not the registrar/parent for the domain.

Keep in mind

There is one more type of domain beside hosted and external. This is the case when domain is registered externally (doesn’t exist on a domain manager page) but is pointing to Atomia name servers. In this case a user can add website and edit DNS records for that domain in Atomia.

DNSSEC then needs to be enabled from that third-pary system which was used for domain registration and name server update.

However, in order to setup DNSSEC properly, user will need to add DS/DNSSEC records in Atomia via DNS page.


2. Atomia has no DNS master data (DNS is hosted with third party hosting provider), but Atomia is registrar/parent for the domain.

In order to enable DNSSEC proceed with following steps:

  1. When DNSSEC is not enabled, there are no DS records in the domain zone and no published DS records on the registry/registrar
    External DNSSEC with no available records
    User needs to generate DS/DNSKEY records in the domain zone on a third party name servers and then add generated DS record from Atomia DNS manager.
  2. Created DS records in the domain zone will be listed under DNSSEC tab in Domain Manager.
    External DNSSEC with available record from the zone
    To publish the record from the domain zone user needs to check the record and click on the Update DS records button.
  3. When publishing process is done, there are records in the domain zone and matched published records on registry/registrar
    External DNSSEC with published record from the zone
    Clicking on the Update DS records button while the records are un-checked will un-publish them (remove them from the registry/registrar).
  4. If customer delete DS records from domain zone, these records will be shown as published records on registry/registrar but  no matching records will be available in the domain zone
    External DNSSEC with published record and no matching record in the zone
    In this case a matching record should be added to the domain zone. Or a published record should be removed (by un-checking the record and clicking on the Update DS records button) and publish new DS records again.

Good to know

To get the the domain zone records for an external domain, Atomia will parse the output of the following dig command (on a Domainreg server):

dig +trace dnskey

If user just added the record in the domain zone, it may take some time for DNS cache to clear before this command returns something

Before you begin

The Domainreg plug-in as well as the registrar/registry that is being used has to support DNSSEC for domains.

AtomiaDNS should be installed and initial DNSSEC keyset should be added (see Creating the initial DNSSEC keyset for instructions).

Domainreg should be configured to use AtomiaDNS (atomiadns_soap_* parameters in the config file) and then hosted_dnssec_delegation_filter and supports_dnssec configuration parameters should be set up. Make sure you fetched keys from AtomiaDNS and import them in Domainreg.

Configure DNSSEC options

To enable the DNSSEC functionality on the Domain Manager page a couple of settings must be edited in the file C:\Program Files (x86)\Atomia\HostingControlPanel\bin\Atomia.Web.Plugin.Domains.DomainManager.Core.dll.config.

  • A DNSSECVisible and DNSSECEnabled values have to be set to true.
    <pluginSetting name="DNSSECEnabled" value="true" />
    <pluginSetting name="DNSSECVisible" value="true" />
  • The Enable DNSSEC button is available only for supported TLDs. These TLDs are configurable in the same file by adding them as comma separated list:
    <pluginSetting name="DNSSECSupportedTLDs" value=".info,.net,.eu" />
  • To allow users to disable DNSSEC once it is enabled, a ShowDisableDNSSEC value has to be set to true
    <pluginSetting name="ShowDisableDNSSEC" value="true" />


When working with configuration files in Atomia software, it is important that you edit them through transformation files. Please consult our documentation before editing any configuration files. If the files are edited directly the changes will be overwritten by any updates to Atomia.

Useful tip

To automatically enable DNSSEC for a newly registered (hosted) domain, place ProvisioningDescription.EnforceDNSSEC.xml transformation file in C:\Program Files (x86)\Atomia\AutomationServer\Common\ProvisioningDescriptions\Transformation Files folder.

Was this helpful?