Zone Editor

Overview

DNS (Domain Name System) converts human-readable domain names (for example, example.com) to computer-readable IP addresses (for example, 192.0.0.1). DNS relies on zone records that exist on your server to map domain names to IP addresses.

Several different types of records reside in a domain’s zone file. This feature allows you to create, edit, and delete the following records:

  • A

  • AAAA

  • CAA (Certificate Authority Authorization Record)

  • CNAME (Canonical Name Record)

  • DMARC (Domain-based Message Authentication, Reporting, and Conformance)

  • MX (Mail Exchanger)

  • SRV (Service Record)

  • TXT (Text Record)

Note:

To access all available zone record types and records that the system automatically generated, your systems administrator must enable the following features in WHM’s Feature Manager interface (WHM >> Home >> Packages >> Feature Manager):

  • Zone Editor (A, CNAME)

  • Zone Editor (AAAA, CAA, SRV, TXT)

Domains

This interface displays your account’s domains. For each domain in the list, you can perform some actions directly. Click the text to perform that action.

  • A Record — Add an A record for this domain.

  • CNAME Record — Add a CNAME record for this domain.

  • MX Record — Add an MX record for this domain.

  • DNSSEC Record — Manage DNSSEC (Domain Name System Security Extensions) for this domain.

  • Manage — Add or edit additional records for this domain.

To refresh the list of domains, click the gear icon and select Refresh List.

Manage Zone

This interface displays the zone records for the selected domain. To filter the list of zone records, enter a name in the text box or select one of the record type filters.

Add a record

To add a record, perform the following steps:

  1. Click Manage next to the domain that you wish to modify.

  2. Click the arrow next to Add Record to select a record type:

    • Add A Record — This record maps hostnames to IP addresses. A records allow DNS servers to identify and locate your website and its various services on the Internet. Without appropriate A records, your visitors cannot access your website, FTP site, or email accounts.

    • Add AAAA Record — This record maps hostnames to IPv6 addresses.

    • Add CAA Record — This record allows you to specify which certificate authority (CA) will issue an SSL certificate for a domain.

       
      CAA record parameters

      • Flag — Whether the CA will issue an SSL certificate if the CAA Resource Record contains unknown property tags. For more information about CAA record flags, read the RFC 6844 Documentation.

        • 0 — Non-critical. The CA will issue an SSL certificate if the CAA Resource Record contains unknown property tags.

        • 1 — Critical. The CA will not issue an SSL certificate if the CAA Resource Record contains unknown property tags.

        • Tag — The CAA record’s property type.

          • issue — Authorize a CA to issue a certificate for the domain.

          • issuewild — Authorize a CA to issue a wildcard certificate for the domain.

          • iodef — Specify a URL to which a CA may report policy violations.

        • Value — The CA’s domain, or the CA’s URL if you select the iodef element.

          • A valid SSL provider.

          • A mailto URL or standard URL

      Note:

      If no CAA records exist for a domain, all CAs can issue certificates for that domain. If conflicting CAA records already exist, remove the existing CAA records or add one for the desired CA.

      For example, a CAA record for Sectigo would resemble the following example, where example.com represents the domain name:

      example.com. 86400 IN CAA 0 issue "sectigoca.com"

       

       

    • Add CNAME Record — This record creates an alias for another domain name, which DNS looks up. This is useful, for example, if you point multiple CNAME records to a single A record in order to simplify DNS maintenance.

      Note:

      You cannot point a CNAME record to an IP address.

       

    • Add DMARC Record — This record indicates the action for a mail server to take when it receives mail from this domain, but that message fails SPF and DKIM checks. If you select this option, the system creates a TXT record with a default DMARC record. The system also displays a form that allows you to specify the domain’s DMARC policy (None, Quarantine, or Reject), as well as the following optional parameters:

       
      DMARC parameters

      • Subdomain Policy — The action that the recipient’s mail server should perform when it receives mail from a subdomain of this domain, but that message fails SPF and DKIM checks.

        • None — Do not perform any action for spam email messages.

        • Quarantine — Send spam email messages to a different folder on the account.

        • Reject — Reject spam email messages.

        • DKIM Mode — The Domain Keys Identified Mail (DKIM) level that the system will enforce for the domain.

          • Relaxed — The system allows some email messages from domains that it does not recognize.

          • Strict — The system rejects all email messages from domains that it does not recognize.

        • SPF Mode — The Sender Policy Framework (SPF) level that the system will enforce for the domain.

        • Percentage — The percentage of email messages that you wish for the system to filter.

        • Generate Failure Reports When — The error reporting policy between the sender and receiver’s Mail Transfer Agents.

        • Report Format — The format that the system uses to report an email message’s possible spam status.

        • Report Interval — The amount of time, in seconds, that elapse between each aggregate email message report.

      Note:

      • This parameter’s value defaults to 86400.

      • This value does not include email failure messages.

      • Send Aggregate Mail Reports To — A comma-delimited list of URIs to which to send aggregate email message reports. To add a size limit for the report, affix an exclamation point, a number, and a file size multiplier to the end of the URI. You can specify the following size multipliers:

        • k — Kilobytes.

        • m — Megabytes.

        • g — Gigabytes.

        • t — Terabytes.

      • Send Failure Reports To — A comma-delimited list of URIs to which to send failure email message reports.

       

    • Add MX Record — This record allows you to route a domain’s incoming mail to a specific server. Changes that you make to a domain’s MX (Mail Exchanger) control where the system delivers email for a domain.

    • Add SRV Record — This record provides information about available services on specific ports on your server.

       
      SRV parameters

      • Priority — The service record’s priority value.

      • Weight — The system uses this value to rank entries with the same priority value.

      • Port — The target host’s port.

      Note:
      For a complete list of ports, read our How to Configure Your Firewall for cPanel & WHM Services documentation.
      • Target — The service’s target host.

       

    • Add TXT Record — This record contains text information for various services to read. For example, TXT records can specify data for the SPF, DKIM, or DMARC email authentication systems. Click the links below to view examples of each TXT record:

       
      SPF records 
      v=spf1 +a +mx +ip4:10.215.218.151 ~all
      DKIM records 
      v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA14CK7pzW3Q4NHyJv/NIUG2vxuW8cDLnrQyjnpf0XQCHkFMnBdampzVG/T15U4P7W3YKImR6aF+QhM6WRZdXaOQqdkkkGc+VdYnH415ZikqSvfwSQ+n2fdIEVHvOkLyl/qSQkNhijtz48qb874keiYimo9Gsdg7mlhURImqPlL9zsGFcBpogmW00bnwmeiyeFbBY+d0QJRAelECpIbdWQfiCq1tUMm1pMGI5GHmnJVs3ToPvRoH2J4SQpOO91smkwaQPEEdLVXTMpLuKcvOOjotwzeVX5A4RBfuAaKjk7z0xdkTnsDivFJSqqNBLtT0v8cv6JjDgWZ8pYKBC65mdWxwIDAQAB;
      DMARC records 
      v=DMARC1;p=none;rua=mailto:user@example.com

       

  3. Enter the appropriate information for the record type that you selected.

  4. Click Add Record.

    Note:

    Use cPanel’s Email Deliverability interface (cPanel >> Home >> Email >> Email Deliverability) to manage SPF and DKIM records.

     

Edit a record

To edit a record, perform the following steps:

  1. Click Manage next to the domain you want to modify.

  2. Click Edit next to the record that you wish to edit.

  3. Change the information in the text boxes as necessary.

  4. Click Edit Record to save your changes, or click Cancel to discard them.

Delete a record

To delete a record, perform the following steps:

  1. Click Manage next to the domain you want to modify.

  2. Click Delete next to the record that you wish to remove.

  3. Click Delete in the confirmation dialog box.

Reset zone files

Important:

  • This feature erases any modifications that you made to your zone records. The system attempts to save the domain’s TXT entries. We recommend that you record any changes that you wish to save before you use this feature.

  • To reset your DNS zone files, your systems administrator must enable the following features in WHM’s Feature Manager interface (WHM >> Home >> Packages >> Feature Manager):

    • Zone Editor (A, CNAME)

    • Zone Editor (AAAA, CAA, SRV, TXT)

To reset your DNS zone files to the defaults that your hosting provider specifies, perform the following steps:

  1. If this account owns more than one domain, click Manage next to the domain that you wish to reset.

  2. Click the gear icon and select Reset Zone.

  3. Read the warning about the consequences.

  4. Click Continue to reset your zone, or Cancel to return to the Manage Zone interface.

DNSSEC

DNSSEC can protect clients from various forms of attack, such as spoofing or a Man-in-the-Middle attack. A DNS resolver will compare the DNS server’s DNSKEY record to the DS record at the registrar. If they match, then the DNS resolver knows that the record is valid.

DNSSEC uses digital signatures to strengthen DNS authentication. These digital signatures use public key cryptography to sign the DNS data. However, these digital signatures do not sign the DNS queries and responses.

In the Zone Editor interface, click DNSSEC in a domain’s row to display the DNSSEC interface.

For more information about DNSSEC, read our DNSSEC documentation.

Important:

If you transfer the account to another server, you must remove the Domain Server (DS) records from the registrar before you transfer the domain.

To transfer an account with DNSSEC enabled domains, perform the following steps for each domain:

  1. Remove the DS records from the registrar.

  2. Wait for the changes to propagate. This may take up to 72 hours.

  3. Perform the transfer.

  4. Manually update the registrar with the new DS records.

If you do not remove the old DS records from the registrar, the domains may produce DNS resolution issues due to invalid DNSSEC responses.

Create a DNSSEC key

Quick DNSSEC key creation

To quickly create a pair of DNSSEC keys that most registrars will accept, perform the following steps:

  1. Click Create Key. A confirmation message will appear.

  2. Click Create. The DS Records interface will appear with the keys’ details.

Custom DNSSEC key creation

If you wish to create a customized key with a stronger algorithm, perform the following steps:

  1. Click Create. A confirmation window will appear.

  2. Click Customize. The Create DNSSEC Keys interface will appear.

  3. Select the desired key setup for the DNSSEC key:

    • Classic — Creates a ZSK (Zone Signing Key) and a KSK (Key Signing Key).

    • Simple — Creates a CSK (Combined Signing Key), which the system will use as both the ZSK and KSK.

  4. Select the desired algorithm from the Algorithm menu.

    Note:
    The interface will disable incompatible algorithms.

  5. Select whether to activate the newly-generated key.

  6. Click Create Key. The DNSSEC Key Details interface will appear with the key’s details.

Important:

After you generate the domain’s DNSSEC key, you must configure a Domain Server (DS) record with your domain registrar. 

To validate the DNSSEC configuration for a domain, use Verisign’s DNSSEC Anaylzer website.

Import DNSSEC key

To import a DNSSEC key for a domain, perform the following steps:

  1. Click Import Key. The Import DNSSEC Key interface will appear.

  2. Select the key type that you wish to import:

    • ZSK — Zone Signing Key.

    • KSK — Key Signing Key.

  3. Enter the key information in the Key text box.

  4. Click Import.

Keys table

The Keys table lists the DNSSEC security keys for the domain.

  • Key Tag — An integer value that identifies the domain’s DNSSEC record.

  • Key Type — Whether the key is a ZSK, CSK, or KSK.

  • Algorithm — The algorithm type that constructs the digest. Select the type that your registrar supports.

  • Created — The key’s creation date.

    Note:

    • The interface will display a recommendation for when you should rotate this key. For information about how to rotate a DNSSEC key, read our How to Rotate a DNSSEC Key documentation.

    • The interface will display Unknown in the Created time column for keys created by cPanel & WHM version 84.

     

  • Status — Whether the security key is active.

  • Actions

    • Activate — Activates the security key.

    • Deactivate — Deactivates the security key. This will not delete the security key.

    • View DS Records — Display DS records for your domain.

    • Delete — Delete the security key.

    • Public DNSKEY — Display the public DNSKEY record.

Public DNSKEY

When you click Public DNSKEY for a key, the Public DNSKEY interface will appear.

This interface displays the following information:

  • Domain — The domain in the DNS record.

  • Public DNSKEY — The public DNSKEY record.

DNSSEC Key Details

When you click View DS Records for a key, the DS Records interface will appear.

This interface displays the following information:

  • Domain — The domain in the DNS record.

  • Key Tag — An integer value that identifies the domain’s DNSSEC record.

  • Algorithm — The algorithm type that constructs the digest.

  • Created — The key’s creation date.

  • Digests — Alphanumeric strings that the algorithm generates.

To add a DS Record to the domain’s registrar, perform the following steps:

  1. Determine the digest type that your registrar uses.

  2. Click Copy for the appropriate digest record.

  3. Go to your registrar’s website and add the information that they request for your domain.

Deactivate a DNSSEC key

To deactivate a DNSSEC key, perform the following steps:

  1. Click Deactivate next to the appropriate record.

  2. Click Continue to confirm that you wish to deactivate the security record.

To reactivate the security record, click Activate.

Delete a DNSSEC key

Important:

Before you delete the domain’s DNSSEC key in cPanel & WHM, you must remove or disable the Domain Server (DS) record with your domain registrar. After editing the DS record, wait at least 24 hours for the changes to propagate. Once the changes propagate, you may delete the DNSSEC key in cPanel & WHM.

To delete a DNSSEC key, perform the following steps:

  1. Click Delete next to the appropriate record.

  2. Click Continue to confirm that you wish to delete the security record.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Addon Domains

Overview Addon domains allow you to control multiple domains from a single account. An addon...

Aliases

Overview Domain aliases are domains that you own, but which do not contain any content. Instead,...

Domains

  Overview Use this interface to create and manage multiple domains from a single cPanel...

Dynamic DNS

Overview Use this interface to simplify access to networks that use a dynamic IP address. A...

Redirects

Overview The Redirects interface allows you to send all of the visitors of a domain or...