DNSSEC (Domain Name System Security Extensions) adds a layer of trust to DNS by digitally signing records. It protects against DNS spoofing and cache poisoning by letting resolvers verify that responses haven't been tampered with. This guide covers how to enable DNSSEC in Plesk.

Requirements

  • Plesk for Linux (not available on Windows)
  • BIND DNS server version 9.9 or later
  • Plesk DNSSEC extension installed (free with Web Pro and Web Host editions)
  • Registrar support for DS records

If you don't see a DNSSEC option under your domain, the extension isn't installed — contact your hosting provider.

Step 1: Sign your DNS zone

  1. Log in to Plesk.
  2. Go to Websites & Domains → select your domain.
  3. Click DNSSEC.
  4. Click Sign the DNS Zone.
  5. Use the default key settings (recommended) or customise the algorithm and rollover period.
  6. Click OK to generate keys and sign the zone.

Plesk will display DS resource records — copy these for the next step.

Step 2: Add DS records at your registrar

  1. Log in to your domain registrar (e.g. domains.co.za, GoDaddy, Namecheap).
  2. Find the DNSSEC or DS Records section.
  3. Add the DS records using values from Plesk:
    • Key Tag — numeric identifier
    • Algorithm — usually 8 (RSA/SHA-256)
    • Digest Type — usually 2 (SHA-256)
    • Digest — the hexadecimal hash string
  4. Save. Propagation may take several hours.

Step 3: Verify DNSSEC

  • DNSViz.net — visualises the DNSSEC chain of trust
  • Verisign DNSSEC Debugger — tests complete chain
  • dig: dig yourdomain.com +dnssec @8.8.8.8 — look for the ad flag and RRSIG records

Managing DNSSEC

Key rollover: Plesk handles ZSK rollovers automatically. For KSK rollovers, Plesk notifies you — update DS records at your registrar promptly. Keep both old and new DS records during the transition.

Unsigning: DNSSEC settings → Unsign → immediately delete DS records at your registrar.

Important notes

  • Both Plesk and your registrar must be configured — signing the zone alone isn't enough.
  • Never delete DS records before unsigning, and never unsign without deleting DS records after.
  • KSK rollover is your responsibility — don't ignore notifications.
  • Keep your server clock accurate — signatures use timestamps.

Troubleshooting

DNSSEC option not visible:

  • Extension not installed — ask your provider. Also confirm you're on Linux, not Windows.

Domain stops resolving after enabling:

  • DS records at your registrar are incorrect or missing — re-check against Plesk values.
  • If you recently unsigned, ensure old DS records were deleted.

Validation fails on testing tools:

  • Re-copy DS records from Plesk and re-enter at your registrar.
  • Ensure algorithm is supported (RSA/SHA-256 is safest).

KSK rollover: Copy new DS records from Plesk, add at registrar, keep old during transition, remove old after.

Need help? Open a support ticket.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to Add a Domain in Plesk

Adding a domain in Plesk is the first step to hosting a new website. This guide walks you through...
How to Add a Subdomain in Plesk

A subdomain is a third-level domain (e.g., blog.yourdomain.com) that can host a separate section...
How to Add a Domain Alias in Plesk

A domain alias is an alternative domain name that points to the same website as your main domain....
How to Manage DNS Records in Plesk

DNS records tell the internet where to find your website, email, and other services. Plesk...
Understanding DNS Propagation in Plesk

When you add a new domain, change DNS records, or move your website to a new server, the changes...