The dnssec utility is used to configure DNSSEC for your domains.

Note: The utility is available if the Plesk DNSSEC extension is installed with the paid license. The Plesk DNSSEC extension license is included for free in the Web Pro and Web Host Plesk editions, but not the Web Admin edition. To use the extension in the Web Admin edition, you need to purchase the extension license separately.

Usage

plesk ext dnssec <command> [options] [arguments]

When you sign a domain’s DNS zone with DNSSEC, you can configure a number of settings using the following options: --encryption-algorithm, --ksk-size, --ksk-expiration, and more. If you omit these options, the dnssec utility will apply the default settings specified in Tools & Settings > DNSSEC (under “Additional Services”).

DNSSEC default settings

Example

The following command signs the DNS zone of the example.com domain using the ECDSAP256SHA256 encryption algorithm for the 1024-bit key-signing key (KSK) and 1 year as the KSK rollover period:

plesk ext dnssec sign --domain-name example.com --encryption-algorithm ECDSAP256SHA256 --ksk-size 1024 --ksk-expiration 1 --ksk-expiration-unit years

Commands

Command Argument Description Example
list   Shows the list of all the utility commands.

To see all the utility commands:

plesk ext dnssec list

info --domain-name <domain_name> Shows the DNS zone settings of a domain.

To see the DNS zone settings of example.com:

plesk ext dnssec info --domain-name example.com

sign --domain-name <domain_name> [options] [arguments]

Signs the DNS zone of a domain.

Note:

If no options are provided, the DNS zone will be signed using default values.

To sign the DNS zone of example.com:

plesk ext dnssec sign --domain-name example.com

unsign --domain-name <domain_name>

Unsigns the DNS zone of a domain.

Note:

When you unsign a domain’s DNS zone, the domain will stop resolving until you remove the corresponding DS resource records from the parent zone. Existing keys will not be removed and you can reuse them later to sign the zone again.

To unsign the DNS zone of example.com:

plesk ext dnssec unsign --domain-name example.com

help <command_name>

Shows the help for the specified command.

Note:

When no command is specified, shows the help for the list command.

To see the help for the sign command:

plesk ext dnssec help sign

Options

Option Parameter Description Example
--domain-name <domain-name>

Signs the DNS zone of a domain.

Used with the sign, unsign, and info commands.

To sign the DNS zone of example.com:

plesk ext dnssec sign --domain-name example.com

--encryption-algorithm RSAMD5 | RSASHA1 | RSASHA256 | RSASHA512 | DSA | ECCGOST | ECDSAP256SHA256 | ECDSAP384SHA384 | NSEC3RSASHA1 | NSEC3DSA

Specifies the encryption algorithm for the key-signing key (KSK).

Used with the sign command.

Note:

If the option is omitted, the RSASHA256 encryption algorithm is used by default.

To sign the DNS zone of example.com using the ECDSAP256SHA256 encryption algorithm for the KSK:

plesk ext dnssec sign --domain-name example.com --encryption-algorithm ECDSAP256SHA256

--ksk-size [1024-4096]

Specifies the size (in bits) of the key-signing key (KSK).

Used with the sign command.

Note:

If the option is omitted, a 2048-bit key is used by default.

To sign the DNS zone of example.com using the ECDSAP256SHA256 encryption algorithm for the 1024-bit KSK:

plesk ext dnssec sign --domain-name example.com --encryption-algorithm ECDSAP256SHA256 --ksk-size 1024

--ksk-expiration <number>

Specifies how long is the rollover period of the key-signing key (KSK): for example, 5 years or 6 months.

Used with the sign command and the --ksk-expiration-unit option.

Note:

If the option is omitted, the 5-year rollover period is used by default.

To sign the DNS zone of example.com with the default key-signing key (KSK) size, encryption algorithm, and 1-year rollover period:

plesk ext dnssec sign --domain-name example.com --ksk-expiration 1 --ksk-expiration-unit years

--ksk-expiration-unit days | months | years

Specifies how long the rollover period is of the key-signing key (KSK): for example, 5 years or 6 months.

Used with the sign command and the --ksk-expiration option.

Note:

If the option is omitted, the 5-year rollover period is used by default.

To sign the DNS zone of example.com with the default key-signing key (KSK) size, encryption algorithm, and 1-year rollover period:

plesk ext dnssec sign --domain-name example.com --ksk-expiration 1 --ksk-expiration-unit years

--zsk-size [1024-4096]

Specifies the size (in bits) of the zone-signing key (ZSK).

Used with the sign command.

Note:

If the option is omitted, a 1024-bit key is used by default.

To sign the DNS zone of example.com with the default ZSK size and encryption algorithm and the 2048-bit ZSK:

plesk ext dnssec sign --domain-name example.com --zsk-size 2048

--zsk-expiration <number>

Specifies how long is the rollover period of the zone-signing key (ZSK): for example, 5 years or 6 months.

Used with the sign command and the --zsk-expiration-unit option.

Note:

If the option is omitted, the 1-year rollover period is used by default.

To sign the DNS zone of example.com with the default zone-signing key (ZSK) size, encryption algorithm, and 6-month rollover period:

plesk ext dnssec sign --domain-name example.com --zsk-expiration 6 --zsk-expiration-unit months

--zsk-expiration-unit <days|months|years>

Specifies how long the rollover period is of the zone-signing key (ZSK): for example, 5 years or 6 months.

Used with the sign command and the --zsk-expiration option.

Note:

If the option is omitted, the 1-year rollover period is used by default.

To sign the DNS zone of example.com with the default zone-signing key (ZSK) size, encryption algorithm, and 6-month rollover period:

plesk ext dnssec sign --domain-name example.com --zsk-expiration 6 --zsk-expiration-unit months

--version   Shows the utility version.

To see the utility version:

plesk ext dnssec --version

--ansi | --no-ansi  

Enables or disables ANSI escape sequences for the utility output.

By default, ANSI formatting is enabled.

To see all commands of the utility without ANSI formatting:

plesk ext dnssec list --no-ansi