DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, preventing attackers from redirecting your domain traffic to malicious servers (DNS spoofing/hijacking).
What DNSSEC Does
Without DNSSEC, a man-in-the-middle attacker could potentially intercept a DNS query and return a fake IP address, redirecting your visitors to a phishing site. DNSSEC signs each DNS response so resolvers can verify it hasn't been tampered with.
Enabling DNSSEC in cPanel
In cPanel, go to Domains > Zone Editor, click Manage next to your domain, then click DNSSEC. Click Create Key and choose the algorithm (ECDSAP256SHA256 is recommended). Copy the DS record values displayed.
Submitting DS Records to Your Registrar
Log in to your domain registrar and find the DNSSEC settings. Add the DS record using the Key Tag, Algorithm, Digest Type, and Digest values from cPanel. The registrar submits these to the parent zone, completing the chain of trust.
Verifying DNSSEC
Use dnssec-analyzer.verisignlabs.com or dnsviz.net to verify your DNSSEC configuration. Green indicators mean everything is correctly signed and chained.