How to restore DNSSEC keys from a cPanel backup

  Uncategorized

Introduction

DNSSEC (Domain Name System Security Extensions) helps protect DNS records from spoofing and tampering. If DNSSEC keys are lost or need to be migrated, they can be restored from a cPanel backup by extracting the key files and importing them through cPanel’s Zone Editor.

Prerequisites

Before proceeding, ensure the following:

  • You have access to the server via SSH.
  • A valid cPanel backup containing the DNSSEC keys is available.
  • You have access to the cPanel account associated with the domain.
  • DNSSEC is supported and enabled for the domain.

Implementation

1) Locate the DNSSEC keys in the backup.

# tar -tvf /backup/2021-12-24/accounts/CPUSER.tar.gz|grep -i dnssec
drwxr-xr-x root/root    0 2021-12-24 09:59 CPUSER/dnssec_keys/
drwxr-xr-x root/root    0 2021-12-24 09:59 CPUSER/dnssec_keys/DOMAIN.TLD/
-rw------- root/root 1703 2021-12-24 09:59 CPUSER/dnssec_keys/DOMAIN.TLD/65317_KSK.key
-rw------- root/root  939 2021-12-24 09:59 CPUSER/dnssec_keys/DOMAIN.TLD/41433_ZSK.key

2) Extract the key files for the domain.

# tar -xvf /backup/2021-12-24/accounts/CPUSER.tar.gz CPUSER/dnssec_keys/DOMAIN.TLD/65317_KSK.key
CPUSER/dnssec_keys/DOMAIN.TLD/65317_KSK.key

# tar -xvf /backup/2021-12-24/accounts/CPUSER.tar.gz CPUSER/dnssec_keys/DOMAIN.TLD/41433_ZSK.key
CPUSER/dnssec_keys/DOMAIN.TLD/41433_ZSK.key

3) Show the contents of the key files.

# cat maindomain/dnssec_keys/addon.domain.com/29454_ZSK.key
Private-key-format: v1.2
Algorithm: 8 (RSASHA256)

# cat maindomain/dnssec_keys/addon.domain.com/10180_KSK.key
Private-key-format: v1.2
Algorithm: 8 (RSASHA256)
...

4) Navigate to the Zone Editor in cPanel.

cPanel > Domains > Zone Editor

5) Click the “DNSSEC” button for your domain.

6) Click the “Import Key” button.

7) Copy and paste in the contents of the key files from step 3. Make sure to select the key type that matches the file name.

8) Click the import button.

Conclusion

Restoring DNSSEC keys from a cPanel backup allows you to recover DNSSEC functionality without generating new keys. By extracting the key files from the backup and importing them through the Zone Editor, you can quickly restore DNSSEC protection for your domain.

LEAVE A COMMENT