cPanel version 84 with PowerDNS and DNSSEC
DNSSEC clustering for medium-sized domain name portfolios
With the launch of cPanel version 84, PowerDNS with DNSSEC enabled has become an integral feature of the cPanel/WHM control environment. So cPanel/WHM now installs the PowerDNS Authoritative Server by default and the user interface now includes DNSSEC functionality.
Under DNS Cluster, administrators can switch the server software from the BIND default to PowerDNS. In that case, the domain information is loaded from the BIND zone files and DNSSEC-specific metadata is saved in the (embedded) SQLite database (in the Authoritative Server's 'hybrid BIND mode'). Signing of the relevant domains and associated key material can then be managed using cPanel's Zone Editor.
According to the documentation, the DNSSEC clustering is scalable to ten thousand signed domains. The developers advise users with more domains not to enable DNSSEC. However, we don't agree with that advice. We believe it's better for administrators with large portfolios to look for an alternative solution. Detailed guidance on setting up the PowerDNS Authoritative Server and all DNSSEC facilities and configurations is given in this article.