SpipCP
DNSSelf-hosted

DNSSEC

What DNSSEC is and why it matters, turning it on for a self-hosted zone, the DS-record step at the registrar (and verify DS), key rollover, and the one critical warning — pull the DS at the registrar BEFORE removing DNSSEC, or the zone goes BOGUS.

DNSSEC signs your DNS answers so a resolver can prove they really came from you and weren't tampered with on the way. Without it, DNS answers can be forged. With it, a forged answer fails validation and is rejected. For self-hosted DNS, where you control the whole chain, turning it on is a strong, cheap win.

How it works here

PowerDNS does the cryptography: when you enable DNSSEC on a zone, PowerDNS generates the keys, signs the zone, and holds the private keys on your nameserver boxes. Your job is one step at the registrar — publishing a DS record that links the parent zone to your keys, completing the "chain of trust" from the root down to your domain.

The panel reads the DS record from PowerDNS and shows it to you to enter at the registrar. It can't write it there (that's Layer 1, the registrar's side), so as with glue and delegation it guides and verifies.

There is nothing to buy and no “dnssec.io” to sign up for

DNSSEC for a self-hosted zone is entirely contained in your own stack. You don't register with any third party, you don't buy a certificate, and there is no external "DNSSEC service" — dnssec.io is not part of this. Enabling the toggle has your PowerDNS boxes generate the keys and sign the zone; the only thing that leaves your infrastructure is the public DS record, which you paste at your registrar once. The private keys never leave the boxes and never enter the panel database.

Turning it on for a zone

On the zone in Networking → Nameservers → Self-hosted zones (pick the domain in the zone selector), enable DNSSEC. PowerDNS generates the keys and signs the zone on every nameserver box.

The panel shows the DS record (key tag, algorithm, digest type, and digest). At the registrar of that domain, find DNSSEC / DS records and enter the values exactly as shown.

Back in the panel, click Verify DS — it confirms from outside that the parent now publishes a DS that matches your zone's key, so the chain of trust validates end to end.

A zone's DNSSEC panel showing the DS record fields to enter at the registrar, with a Verify DS button
📷A zone's DNSSEC panel showing the DS record to enter at the registrar, with Verify DS.img/dns-dnssec-ds.avif
A zone's DNSSEC panel showing the DS record to enter at the registrar, with Verify DS.

Add the DS only after the zone is signed

Sign the zone first, then publish the DS. Publishing a DS at the registrar for a zone that isn't yet validly signed tells resolvers to expect signatures that aren't there — which makes the zone fail validation (BOGUS) just like the removal mistake below, only in the other direction. The panel's flow enforces this order: it only hands you the DS once the zone is signed.

Key rollover

Keys are rotated periodically (a "rollover"). PowerDNS handles the signing side; what changes on your side is the DS. When the signing key rolls, the DS that represents it changes, so you re-enter the new DS at the registrar and run Verify DS again. The panel shows a pending rollover and the new DS so you know to update it; validation stays intact through the rollover window.

The critical removal warning

This is the one DNSSEC mistake that takes a domain completely offline — read it before you ever turn DNSSEC off.

Remove the DS at the registrar FIRST, or the zone goes BOGUS

Disabling DNSSEC has a strict order: remove the DS record at the registrar first, wait for that to propagate, and only then unsign the zone in the panel.

If you unsign the zone (or delete the keys) while the parent still publishes a DS, every validating resolver sees "the parent says this zone is signed, but the answers aren't" — and treats the whole zone as BOGUS, refusing all answers. The domain effectively disappears for anyone behind a validating resolver, even though your records are fine. The cure (pulling the DS, then waiting out the cache) is slow and painful. So: DS out at the registrar → verify it's gone → unsign. Never the other order.

Next steps

On this page