DNSSEC

Any update about DNSSEC? We need this feature urgently.

Is there any way to enable DNSSEC even if it manually? We need that.

I suggest using PowerDNS for this. They have excellent DNSSEC implementation with on-the-fly signing.

But i can use now PowerDNS with DNSSEC in cPanel?

It is completely absurd that cPanel does not support this at this stage. I mean, really? You have a forum thread spanning 2 years of requests and valid reasons for this to be support. Many of which are literally costing your customers money, and its still not been implemented.

For shame...

Hey,

Can we even know if there is some willingness to support DNSSEC at all? Any ETA?

Regards,

Nasir

Today 1.344.357 .nl domains are using DNSSEC. Many of them use cPanel. Take these cPanel users serious! Please speed up the process of implementing DNSSEC in cPanel.

Hi,

I can tell you that all Dutch webhosters using cPanel are very disappointed that this feature is still not implemented.

Why are you ignoring your customers about this?

STILL nothing on DNSSEC?

Brazilian registar (registro.br) is already requesting DNSSEC for some DPNs (it's mandatory).

Is there any update on when cPanel will provide this feature?

STILL nothing on DNSSEC? when we will have a plan for this please ?

This should be on the A list. Not having this feature simply costs money (SIDN gives discounts if you use DNSSEC).

Any update about this? Its very important!

Does cPanel take DNSSEC serious? I due to the lack of DNSSEC have been migrating some accounts over to another DNS System because of the lack of DNSSEC.

How difficult is it really in implementing this needed feature?

Does cPanel not realize that this feature is leaving all of its customers and by extension all of the customers of those customers open to various DNS vulnerabilities such as Cache Poisoning, Client Flooding,

Information Disclosure attacks and Vulnerabilities in sharing a nameserver in DNS.

One would think cPanel with the huge security hole they became part of with the SSHD issues would really be thinking hard and long about security here...

Is there a way to add DNSSEC manually that also works with DNS Clustering and has no problems with subdomains? I'd be happy to create a free WHM plugin to easily manage this if I only knew HOW to make this work technically :)

Can we please get some priority on this one too, this is something that cPanel is lagging behind on against other control panels. DNSSec is now becoming required by a number of domain extensions.

This request has 113 votes and it's still in tagged as "Open Discussion". Please, take this request serious and plan the deployment in the next few cPanel Releases.

It's time to allow us to setup DNSSEC in our dns clusters. Most of the ccTLDs and TLDs already support DNSSEC.

http://www.icann.org/en/news/in-focus/dnssec/deployment-tlds

We are making plans to make the switch to Cpanel, but no support for dnssec and ipv6 is gonna be a big 'showstopper'.

Maybe you can provide a roadmap or timeline ?

Cpanel / WHM, are you currently working on this or are you planning on adding this feature?

Still no way of adding this feature? Its really needed!

Any news regarding DNSSEC?

Really CPanel no body will answer/ack this serious request?

Any news regarding DNSSEC?

Cpanel / WHM, are you currently working on this or are you planning on adding this feature?

Please, take this request serious and plan the deployment in the next few cPanel Releases.

DNSSEC and IPV6 Now!

any update guys?

Looking for an update as well. We run 4 clustered nameservers, and some customers are asking for DNSSEC

For christ's sake guys. Almost 3 years and no DNSSEC implementation despite initial warnings from your customer base that it would eventually be needed, warnings which which were given in 2008. So we'll call that 5 years and nothing. Despite a note in the forum saying "11.36" well we're now 11.38 and no DNSSEC.

This is a serious showstopper for many and will have huge impact on people's businesses. Please fix this. NOW!

Is there any political reasons which stops cPanel team to take this forward?

Feedback from Cpanel would be appriciated. If there are no plans to include this feature we have to move away from Cpanel.

I have reading about DNSSEC for a while now and this is something where Cpanel is not providing serious answers rather No answer at all. It is a great feature. If there is something that is stopping Cpanel to implement it in near future, they must update the community.

We have been looking for DNS SEC support for years, but despite this feature was requested in your forum since 2008 (http://forums.cpanel.net/f145/case-4386-dnssec-support-cpanel-89085.html) and have 161 votes in your Feature Request tool, making it the 7th most requested feature for cPanel by your users, customers and partners, we haven't seen any update or feedback about it from cPanel.

If we make a little search, we even find users on social networks asking for this, but not much details about ETA: https://twitter.com/cPanel/status/8087668148

DNSSEC implementation doesn't seem to be as hard to implement as IPv6, but it has been forgoten.

In Portugal and most of the European countries, DNSSEC implementation has been a success, and Registries for ccTLDs even offer discounts for Registrars that implement DNSSEC.

http://www.internetsociety.org/deploy360/dnssec/maps/

Our enterprise customers are asking for this feature each month, but unfortunally we can't offer a integrated support as we use cPanel, wich doesn't support it.

We would like to inform you one more time for the importance of DNS SEC implementation for us and your customers and ask you for any feedback or ETA that you can provide us about this.

Voted, the Icelandic registrar just added DNSSEC support, would be great to have this option ASAP!

PowerDNS has a quite powerful and simple to use "flick the switch" DNSSEC solution. So this could be implemented by adding PowerDNS support to cPanel.

https://www.powerdns.com/dnssec.html

DNSSEC is here to stay. More and more ccTLD's are moving to implement this and before long, it will be mandatory for many registrars if they wish to be able to host and offer ccTLD domains to their clients.

Now, many ccTLD's already offer EPP plugins to be used that saves cPanel AND us a whole lot of work if people would simply bother reading up on it instead of just crying "I want it".

@cPanel

DNSSEC / SHA256 (SHA1 is used in only 1 thing) / softHMS / Resolver & Enforcer / NSEC & NSEC3 and so on... They are all well documented and fairly straightforward.

We're not interested in having to customize our installations to meet the ccTLD's demands as it'll break for each blimey update from you.

@kman

PowerDNS lacks a crucial ability and 2 for everything that DNSSEC needs to work properly, but there are ways around it adding something else to "fill those gaps".

BIND can be used as long as it's 9.7+ with some tweaks as well.

Norid is implementing DNSSEC as well and it will be in production in January already. I should know...just spent the 2 last days in conference with them...

http://www.norid.no/registrar/ordning/seminar/regseminar-2013-12/regseminar-2013-program.en.html

http://www.norid.no/registrar/ordning/seminar/kurs/DNSSEC-kurs-2013.en.html

@cPanel, any update on this? It's been 5+ years since the original request was made. It's really concerning to see the lack of motivation on cPanel's part.

Is there any news around this topic @cPanel ??

And @Tomas hi :-)

Hello @cPanel admins.

Is this not "hot" wish around ?? Come on admins and wote this case upp to 3 on the top :-)

LeifG

I agree with stronger security on cPanel Web Servers, cPanel Servers and cPanel DNS Only Servers to help provide better security to protect user websites and private data such as credit card information from client from getting into the wrong hands and being hacked.

Strong passwords and use of SSl Certificates are great but hackers these days are getting smarter every day and things like DNSSEC are needed to help put server admins, clients and customers minds at ease.

I am really want more stronger security solutions with helping keeping websites secure.

Thank you cPanel for the great work so far.

Any new about this

Dear cPanel,

I would like to bring at your attention this article posted at ICANN Blog, 22/January/2014:

"DNSSEC Surpasses 50%!"

/http://blog.icann.org/wp-content/uploads/2014/01/signed-tlds-800x564-22jan14-en.png

1. Through the hard work of many in the Internet community, the majority of top-level domains in the root now deploys DNSSEC.
   
   

   DNS Security Extensions provide the biggest security upgrade to Internet infrastructure in more than 20 years. By deploying cryptographic records alongside existing DNS records, DNSSEC-enabled systems can verify that the information received from the DNS has not been modified in transit and is what was intended by the Registrant who sent it.

   
   

   The 50% milestone complements a long list of successful efforts by the community and ICANN that have brought us to this point. Starting with the development of the protocols to secure the DNS in the mid-90s, trendsetting deployment by security-conscious TLDs (e.g., .se), government requirements, public vulnerability discoveries (e.g., Kaminsky), deployment at the root by an international team; to ISP and DNS operator (e.g., Google) support – the trend is clear.

   
   

   We have also witnessed and benefited from widespread deployment and support of DNSSEC by some Registrars in some countries (e.g., .nl, .se). And with DNSSEC support required of the over 1000 new gTLDs, we shall continue to enjoy widespread implementation of DNSSEC at the infrastructure level.

   
   

   But we still have a way to go. Without widespread deployment by Registrants on their domain names, end users and content providers cannot benefit from all of the security, and new and innovative opportunities that DNSSEC will bring. However, with the help of Registrars, DNS operators, vendors, ISPs, as well as the awareness and training efforts that ICANN and other organizations provide, we hope that securing Registrant DNS content, whatever it is, will become widespread and that Internet users may one day enjoy the simple trusted experience that using the ‘Net once was.

   
   

   Rick Lamb

   SR. PROGRAM MANAGER, DNSSEC

Any news regarding this. We are realy missing this future!

Please add DNSSEC for WHM and CPanel.

Thanks in advance.

We defenetly need this feature. Customers are now asking for it, almost all tld's that we sell support it. Our competitors support it! We feel left behind by not being able to offer it :(

How complicated would this be to implement ? What's missing for this feature request to make it to the planning stage ? Thank's :)

Any updates on this request?

This is very much needed.

wow I was shocked to see there is no DNSSEC support yet.. please add it

Although I have written here before, I have to ask the #cPanel team if there are any updates on this topic.

Thanks

Leif G

Norway

I can't see a cPanel response to this? We need DNSSEC NOW!

we need not only DNNSE, but also DANE badly.

Otherwise we need to look for alternative solutions than cPanel.

Anybody should have understand that it is a MUST today.

Walking through this thread from the beginning, it is stunning that there is not at least an acknowledgement from WHM/CPanel that they have taken notice of customer interest. I am quite content that they have devoted their resources to other improvements particularly as I have no sense of the commitment of time and talent implementing DNSSEC functionality. But courtesy calls for at least a nod to people's concern.

275 votes and not a single response from cPanel to indicate they have even seen this. More than odd.

I have a local government entity that has a .gov domain and apparently DNSSEC is required. I will have to find a 3rd party to host the DNS, which is silly.- Scott

We host several .gov domains for local entities like sneader above, and were using cPanel DNS Only prior to this to handle all of our DNS needs. However, now that we've migrated up to needing DNSSEC (and this should be something all serious webmasters should be looking at moving to), we've had to setup our own 5 node DNS cluster to handle DNS with DNSSEC. It's a shame that with the rabid loyalty that we show for cPanel, cPanel can't show some loyalty back and even acknowledge they are working on this. Imagine if this was an in person conversation, and how rude it would be to ignore the people in front of you talking to you. Don't let the distance of the Internet allow you to degrade into disrespect.

Just figured people would appreciate that some response has been gleaned. I started a feature request labeled:

As a user of cPanel products, I'd like to know that their staff actually pays

attention to this feature request area.

The gyst:

Many feature request items in this list lack any response from cPanel staff whatsoever. It's extremely disappointing and is seen as disinterest. While the feature request area implies that cPanel cares what the user base would like to see and listens, the lack of response to many posted questions for cPanel within each feature request completely reverses that implication. A specific example is the DNSSEC request which has over a dozen requests for input from users to cPanel with 0 responses to date over the past year.

Their response:

A variety of cPanel staff consistently reviews and monitors the feature

request website. While they may not always publicly respond, comments are read

and feature votes are taken into account. DNSSEC is a feature that is

definitely under the spotlight for cPanel & WHM. However, our staff providing

frequent low content updates to the feature is seen as unproductive. We would

like to only provide meaningful and helpful updates. We will, of course, share

further updates with this (and any other feature) as information and plans

surrounding them become solidified.

My response:

Those "frequent low content updates" don't need to be frequent, just an update to let us know you're listening and not completely ignoring your userbase. Some acknowledgement would do wonders for your PR. This is the same as a call centre agent that says "I'm still here, please wait" once every minute or two. Or you could sit on hold with no background music and wonder if you've been hung up on.

Keep in mind this was a while ago (Jan 2014). I meant to post this way back when, but it completely slipped my mind. Still not terribly impressed with the lack of comments on cPanel's part, but it's something.

-Tyler

they just make millions and the victims keep paying ...

before 2-3 yrs cpanel was top, now its too poor in features than it should for our age

Holy cow... is this serious or the MySQL query of this response was locked... ? Hey guys did you check the updates for WHM 19.65.01 (i think there is a Beta) ?

No way... cPanel, i will change my mind... seriously.

almost 300 votes and no answer..

This is starting to get beyond a joke... One of the world's leading web hosting platform providers not supporting the biggest security implementation the internet has seen in over 20 years? Seriously, people need to get up and do something...

I agree. Seems to be the 'if it's not broken don't fix it, solve it' mentality. My personal preference is about strict compliance, personally - if it can, and strictly speaking, should be there, then so be it.

Another vote for DNSSEC, cPanel. What is the delay?

I am the 300th, hope they will consider seriously this feature. Anyone know a 3th party that do a plugin for cPanel?

I found a plugin for it : http://admin-ahead.com/admin-ahead-dnssec-cpanel-whm-plugin/

DNSSEC is fundamental for security on the internet in the next generation, allowing us to link to DNS certificates for HTTPS, email, and SSH. It as an important, fundamental technology which will allow lower cost high security.

It is clear to forward-thinking people that DNSSEC is a required feature in cPanel. I hope the staff can come to this understanding as well.

Just install the plugin from Admin-Ahead, simple, fast and works perfect!

http://admin-ahead.com/admin-ahead-dnssec-cpanel-whm-plugin/

I would love to offer this on my servers.

Could anyone help me if this is possible to implement from the commandline?

Can I add a dnskey record manually?

> dig dnskey yourdomain.com

Anyone know the command to generate a certificate?

Any help would greatly be appriciated ;)

We have customers requesting this, and it would be nice to direct them to a feature in cPanel rather than a 3rd party paid plugin from an unknown company. I'm sure they're fine and reputable, but we've already trusted cPanel on our servers so there should be no reason to add to the trust-chain for something so heavily security-based.

I currently use the Admin-Ahead plugin and while it works, it has caused a few concerns in the past. Namely, it doesn't always allow a newly updated subdomain to be added without manually unsigning and resigning a domain. This adds a fair bit of extra legwork because you now have to take the new signing data and submit it to the TLD.

It does work, though, and they've always been decent about making sure the issues are solved within a few hours to a day. My only other complaint is with their locked license system. If you transfer a VPS to a new server, you can't just request a new license from the customer portal, you are forced to send them an email and request with details. Not necessarily a bad thing if you know up front, but when you're doing a transfer and you're stuck waiting a few hours for a response because the billing department isn't always open ... well.

Anyways, that aside, I'm getting extremely annoyed with cPanel and this feature request (this one in particular). Not a single response from them, no updates, etc. I'm seriously considering dropping them as my backend provider. The competitor's response and speed with which they picked up these "features" shows just how much they care about their clients wishes. cPanel's response, or lack thereof, has been basically said "screw you, we'll get to it when we feel like it".

cPanel only responds to features when they either have questions or when it's been planned and they have something to show.

In my oppinion they have been working hard at implementing features, versions have been comming out faster than before with each time some quite major features and quite a few smaller features.

Each release has had one major feature and a few smaller ones.

Look at the features that haven't been planned yet, this feature is near the top of the list.

2FA might make it in before because it's got more votes but I guess this will make it to planned stage soon after. cPanel will add an update when they have more info. It can't be said that they haven't been working hard with the new language system followed probably beginning 2015 by the new completly reworked easyapache.

Soon the pre-release will move to released, the planned will be moved to in progress and shortly after we'll get an idea what will be comming in 11.50... My guess is 2FA will be 11.50 and this feature 11.52. Only a guess as depending on how complicated this is to implement it could make it to 11.50 too or might be added before 2FA as cPanel listens to votes but they are not the only criteria used for choosing what feature will be next.

11.52? 11.46 was just released which means we're looking at 6 major releases. At a new major release every 3 months, that's near 1.5 years away. This feature request, specifically, will be almost 4 years old at that point. The original thread it spawned from will be This is absolutely unacceptable. Their lack of communication with their customer base is also absolutely unacceptable.

It's not hard to put 3 sentences into a response form and let the world know they actually see what we're writing. This features area is completely pointless if they aren't reading it and if they are reading it an extra 25 seconds to respond to the userbase would save a large majority of the people complaining in threads such as this one.

Call a call center one day (having worked at one in the past). We were told to say a quick word or two at least every 60 seconds to let the customer know we weren't ignoring them and the call was still active. It takes no time whatsoever to "we're here and we're listening to you", but 2-4 years of saying nothing is the equivalent of saying "we don't care".

Perhaps my next piece will just be seen as "stirring the pot", but I have a PM from cPanelMichael dated Dec 23, 2013 (which I apparently missed before today) stating:

"Hello

There are currently no active plans to implement support for DNSSEC. That's not to say it won't happen, but it's not a feature that our development team is actively working on implementing. Feature requests are monitored, so it's a good idea to continue to show your support by voting for and adding comments to it.

Thank you."

@cPanel, any update on this? The lack of cPanel admin's comment's in this request is concerning !! Please give a update @cPanel

Thanks in advance :-)

Hello,

Both BIND and NSD support the record types needed for DNSSEC support. Right now if you add the necessary records to a zone file, everything should "just work." We could add the record types to the various DNS editors within cPanel & WHM.

Beyond adding the record types, what else would you look for as the minimum requirements for DNSSEC?

In a Cluster Environment you are unable to sync the records and if you edit the domain zone, it will "break" the DNSSEC records.

This needs to be implemented in cPanel as a supported feature with the correct integration. There should be a wizard to generate the keys and sign the zone.

Editing the records will require the zone be re-signed by the "signing authority", which I believe is the registrar. If I misunderstand that, please feel free to correct me.

We can certainly add some functionality, similar to our DKIM support, for generating keys and ensuring they are backed up and restored.

I'm not sure what use a wizard would have for this feature. Could you expand on that a bit?

I'm actually shocked there wasn't any support for DNSSEC when I licensed my server with it. Keep in mind the DNS Cluster should also have the ability to tell nameservers the resigning has to be done when zone is changed and also the ZSK's should be passed on. Perhaps some encryption would be nice on the stored data to generate key's although lot of it has salt in it.

Here a link that explains the scripts of DNSSEC: https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

Tell your friends to vote! Let's get above 360 to climb higher in the list!

This is the next step for cPanel in 11.50: setup a easy and good tools for manage DNSec !

Great news!

To be honest no DNSSEC (we are not even talking about DANE) support is more then a joke. A lot of setups require this and the feature is a must have.

Moderator: This is not the place to promote third party services.

Why should we have to pay $5 or $10/mo for a standard DNS functionality that cPanel/WHM should already have?

Although I appreciate the effort, I do not think, at all, that this is the place to advertise a third-party service that's commercial. This "advertisement" basically went out under the cPanel mailing list, which attaches, if you're not careful to come check it out, a sense of legitimacy and association with, or by, cPanel. I seriously doubt that's what cPanel intended, and I think that needs to be corrected. It would be just like me advertising my hosting services by posting comments on all the cPanel feature requests. No beuno.

I agree its not the place to advertise, but come on cpanel you guys take forever to implement some very key things that should be standfard by now. So long that other people have time to make plugins and sell them! If you dont like this practice, then get moving and actually complete some of these features!

@cPanel

How about a statement regarding where you now currently stand on this request that is now already years old and yet so important to any registrar to be able to offer this service without having to rely on a ad-hoc system for this or 3rd party software/server setup.

Just a suggestion for the main page design of the DNSSEC Zone Sign.

Hello,

Any update about this feature? This is the MOST important thing right now for cPanel, imho.

Could you guys give us a heads up? In-Progress? Planned? Or anything?

---

Thanks

Scara

Any update about this feature?

Unless cPanel gets up to speed delivering what the buyers want, people might start to abandon ship...and put their thick wallets elsewhere...

Unfortunatly still waiting on this feature, not hardest thing to do I guess.

Any update if this is ignored, being discussed or investigated at all cPanel?

Would it be possible to get even the tiniest update here from cPanel? I'd be satisfied even with a "this has been shelved until X" rather than just floating the nether void waiting for a word from the almighty.

Would it be possible to get even the tiniest update here from cPanel? I'd be satisfied even with a "this has been shelved until X" rather than just floating the nether void waiting for a word from the almighty.

cPanel Team? Anything? It's so basic but still not in place :(

For the price they charge, Cpanel does a good job as far as I am concerned and I am very happy with the way they handle the suggested features.

If introduction of some items are slow, then there must be good reason.

Be thankful the license is only a few dollars a month.

Hi everyone,

Sorry for the noise with the fraudulent accounts. We have had a user register multiple accounts with different throwaway email accounts. We know it was the same users considering they all used the same IP address to connect with.

This feature is something we would like to implement. However due to the many different countries implementing DNSSEC and no single standard of how they implement it has made this difficult to offer to our customers. We have been investigating a simpler solution that would mirror the functionality provided by other DNS solutions like Google DNS. We haven't come up with a solution we are happy with yet. We are continuing you work on this for future development.

Thank you for your continued patience,

Travis

We've had some concerns from some of our larger clients about this matter as some online DNS Tests are now specifically testing for DNSSEC such as the pingdom DNS and are failing the entire test if DNSSEC is not implemented.

Hi cPanel Team,

Any update on DNSSEC ? This is a standard and should be a big issue to implement. The argument everybody is using different methods is a valid one. Please see link below regarding implementation, this is really starting to be a huge issue. As a webhoster DNSSEC is mandatory these days.

https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

WoW! Status changed to planned.

Do you have ETA for that?

Hello Everyone!

We have begun planning this feature for cPanel & WHM. We have a solution that looks very promising, but will still require development by our team. We are targeting this for cPanel & WHM version 60, and should begin development in the next two months. Our first iteration should be very simple and provide customers with the relevant info they need to secure their records with their registrars.

If you have any questions or would like to be involved with any testing we might do, please email me at travis@cpanel.net

Thanks!

Travis

All thumbs upp :-) http://awesomegifs.com/2014/04/26/thumbs-up/ ... for cPanel staff

Hurray! Finally some progress on this feature request.

Woohoo,

4 years later... about bl###y time!

Hurray! Finally some progress on this feature request.

I think this qualifies for a "Hallelujah" !!

Better late than never?

This request is now officially in progress! It is aimed at v60 right now, but it's still very, very early in the development process for v60. As soon as there's an EDGE build with this feature in it, I'll update everyone here!

Great news! Thank you very much for this update.

I want to thank you for finally putting this into production, however you're like 2 years too late getting started on this very important feature that was requested 4 years ago... I look forward to the first stable build rolling out with this feature.

This is now available in a public release on the EDGE tier, version 59.9999.70.

* Implemented case CPANEL-7983: Add support for DNSSEC with PowerDNS.

200 weeks on hold to start, 2 weeks for beta development. Something seems not working here.

Version 60 is now available in CURRENT, and includes this feature. Note, the first iteration doesn't include Clustering support, but that's definitely on our list of features we'd like to add in the future. If you're interested in seeing that sooner rather than later, please add your vote here:

https://features.cpanel.net/topic/dnssec-support-in-clustering

You can see DNSSEC in the release notes here:

https://documentation.cpanel.net/display/60Docs/60+Release+Notes#id-60ReleaseNotes-DNSSECwithPowerDNS

If you have questions, feel free to follow your normal support procedures or email me.