dnssec: DNSSEC
The dnssec
utility is used to configure DNSSEC for your domains.
Note: The utility is available if the Plesk DNSSEC extension is installed with the paid license. The Plesk DNSSEC extension license is included for free in the Web Pro and Web Host Plesk editions, but not the Web Admin edition. To use the extension in the Web Admin edition, you need to purchase the extension license separately.
Usage
plesk ext dnssec <command> [options] [arguments]
When you sign a domain’s DNS zone with DNSSEC, you can configure a number of settings using the following options: --encryption-algorithm
, --ksk-size
, --ksk-expiration
, and more.
If you omit these options, the dnssec
utility will apply the default settings specified in Tools & Settings > DNSSEC (under “Additional Services”).
Example
The following command signs the DNS zone of the example.com
domain using the ECDSAP256SHA256 encryption algorithm for the 1024-bit key-signing key (KSK)
and 1 year as the KSK rollover period:
plesk ext dnssec sign --domain-name example.com --encryption-algorithm ECDSAP256SHA256 --ksk-size 1024 --ksk-expiration 1 --ksk-expiration-unit years
Commands
Command | Argument | Description | Example |
---|---|---|---|
list |
Shows the list of all the utility commands. |
To see all the utility commands: plesk ext dnssec list |
|
info |
--domain-name <domain_name> |
Shows the DNS zone settings of a domain. |
To see the DNS zone settings of plesk ext dnssec info --domain-name example.com |
sign |
--domain-name <domain_name> [options] [arguments] |
Signs the DNS zone of a domain.
Note:
If no options are provided, the DNS zone will be signed using default values. |
To sign the DNS zone of plesk ext dnssec sign --domain-name example.com |
unsign |
--domain-name <domain_name> |
Unsigns the DNS zone of a domain.
Note:
When you unsign a domain’s DNS zone, the domain will stop resolving until you remove the corresponding DS resource records from the parent zone. Existing keys will not be removed and you can reuse them later to sign the zone again. |
To unsign the DNS zone of plesk ext dnssec unsign --domain-name example.com |
help |
<command_name> |
Shows the help for the specified command.
Note:
When no command is specified, shows the help for the |
To see the help for the plesk ext dnssec help sign |
Options
Option | Parameter | Description | Example |
---|---|---|---|
--domain-name |
<domain-name> |
Signs the DNS zone of a domain. Used with the |
To sign the DNS zone of plesk ext dnssec sign --domain-name example.com |
--encryption-algorithm |
RSAMD5 | RSASHA1 | RSASHA256 | RSASHA512 | DSA | ECCGOST | ECDSAP256SHA256 | ECDSAP384SHA384 | NSEC3RSASHA1 | NSEC3DSA
|
Specifies the encryption algorithm for the key-signing key (KSK). Used with the
Note:
If the option is omitted, the RSASHA256 encryption algorithm is used by default. |
To sign the DNS zone of plesk ext dnssec sign --domain-name example.com --encryption-algorithm ECDSAP256SHA256 |
--ksk-size |
[1024-4096] |
Specifies the size (in bits) of the key-signing key (KSK). Used with the
Note:
If the option is omitted, a 2048-bit key is used by default. |
To sign the DNS zone of plesk ext dnssec sign --domain-name example.com --encryption-algorithm ECDSAP256SHA256 --ksk-size 1024 |
--ksk-expiration |
<number> |
Specifies how long is the rollover period of the key-signing key (KSK): for example, 5 years or 6 months. Used with the
Note:
If the option is omitted, the 5-year rollover period is used by default. |
To sign the DNS zone of plesk ext dnssec sign --domain-name example.com --ksk-expiration 1 --ksk-expiration-unit years |
--ksk-expiration-unit |
days | months | years
|
Specifies how long the rollover period is of the key-signing key (KSK): for example, 5 years or 6 months. Used with the
Note:
If the option is omitted, the 5-year rollover period is used by default. |
To sign the DNS zone of plesk ext dnssec sign --domain-name example.com --ksk-expiration 1 --ksk-expiration-unit years |
--zsk-size |
[1024-4096] |
Specifies the size (in bits) of the zone-signing key (ZSK). Used with the
Note:
If the option is omitted, a 1024-bit key is used by default. |
To sign the DNS zone of plesk ext dnssec sign --domain-name example.com --zsk-size 2048 |
--zsk-expiration |
<number> |
Specifies how long is the rollover period of the zone-signing key (ZSK): for example, 5 years or 6 months. Used with the
Note:
If the option is omitted, the 1-year rollover period is used by default. |
To sign the DNS zone of plesk ext dnssec sign --domain-name example.com --zsk-expiration 6 --zsk-expiration-unit months |
--zsk-expiration-unit |
<days|months|years> |
Specifies how long the rollover period is of the zone-signing key (ZSK): for example, 5 years or 6 months. Used with the
Note:
If the option is omitted, the 1-year rollover period is used by default. |
To sign the DNS zone of plesk ext dnssec sign --domain-name example.com --zsk-expiration 6 --zsk-expiration-unit months |
--version |
Shows the utility version. |
To see the utility version: plesk ext dnssec --version |
|
--ansi | --no-ansi
|
Enables or disables ANSI escape sequences for the utility output. By default, ANSI formatting is enabled. |
To see all commands of the utility without ANSI formatting: plesk ext dnssec list --no-ansi |