How to Rotate a DNSSEC Key - Illevante Cloud

title: How to Rotate a DNSSEC Key created at: Sat Nov 09 2024 11:00:35 GMT+0000 (Coordinated Universal Time) updated at: Sat Feb 08 2025 14:22:56 GMT+0000 (Coordinated Universal Time) --- # How to Rotate a DNSSEC Key # Overview This document describes how to rotate a domain’s DNS Security Extensions (DNSSEC) keys on a server. You can rotate your domains’ DNSSEC keys regularly to increase your DNS record’s security. For more information about DNSSEC in cPanel & WHM, read our [DNSSEC](https://docs.cpanel.net/knowledge-base/dns/dnssec/) documentation. !! Important: !! We recommend that you rotate your domain’s DNSSEC keys yearly. !! The system includes DNSSEC keys in an account’s backup file. You do **not** need to create new DNSSEC keys if you transfer the account to another server. For more information, read our [Backup Tarball Contents](https://docs.cpanel.net/knowledge-base/backup/backup-tarball-contents/) documentation. !! For more information about DNSSEC key rotation, we **strongly** suggest that you read the [RFC 6781](https://tools.ietf.org/html/rfc6781#section-4) documentation. # Rotate the key (on PowerDNS 4.2) To rotate a DNSSEC key, perform the following steps: 1. Navigate to cPanel’s [*Zone Editor*](https://docs.cpanel.net/cpanel/domains/zone-editor/) interface (*cPanel* » *Home* » *Domains* » *Zone Editor*). 2. For the domain that you wish to manage, click *DNSSEC*. The DNSSEC interface will appear. It will will display a recommendation for when you should rotate this key. 3. Generate a new DNSSEC key for the domain. 4. Navigate to your domain registrar and enter the new DNSSEC key information for the domain. !! Note:\ Many registrars provide a Manage DNSSEC option in their domain management portals. If they do not provide that option, you **must** manually add a DS record through their management portal. 1. Wait 24 to 48 hours for the DS record to propagate. 2. Remove the old DNSSEC key information for the domain from the registrar. 3. Navigate to cPanel’s [*Zone Editor*](https://docs.cpanel.net/cpanel/domains/zone-editor/) interface (*cPanel* » *Home* » *Domains* » *Zone Editor*) and delete the old DNSSEC key.