How to DNSSEC sign a zone with Simple DNS Plus

To sign a zone, in the DNS Records window, select the zone to be signed, open the DNSSEC drop-down menu on the toolbar, and select "Sign...":

In the "DNSSEC Sign Zone" dialog, click the "Edit..." button next to "Use on-line DNSSEC keys":

In the "On-line DNSSEC keys" dialog, click the "Add..." button:

First create a key of the "KSK" type. We recommend using the RSA/SHA-256 algorithm and a 2048 bit key size:

And then a key of the "ZSK" type. We recommend using the RSA/SHA-256 algorithm and a 1024 bit key size:

You should now have one KSK and one ZSK. Click the OK button in the "On-line DNSSEC keys" dialog:

Back in the "DNSSEC Sign Zone" dialog, click the "Sign zone" button:

Back in the DNS Records window, click the "Save" button:

The zone is now signed.

Next, we need to generate a DS-record and have this included in the parent zone.

In the DNS Records window, open the "DNSSEC" button drop-down menu and select "Generate DS-records...":

This opens the "DNSSEC DS-records" dialog:

Now we need to copy this record to the parent zone. The way this is done varies for each domain name registrar.

As an example, with "" (a domain name registrar), you log into your account, select "My domains", click the "Quick Links" drop-down next to the domain name, and select "Edit nameservers". On the "Edit Nameservers" page, there is a link to "DNSSEC Management page". And here there is a form to enter the DS-record data.

Copy the data from the "DNSSEC DS-records" dialog above to the registrars form and submit this:

At this point you may want to test the DNSSEC setup using one of the available on-line tools. For example

Finally we can configured the zone to be automatically re-signed whenever we update its records.

In the DNS Records window, open the "DNSSEC" button drop-down menu and select "Settings...":

This opens the Zone Properties dialog on the DNSSEC tab.

Check "Automatically DNSSEC sign zone..." and "Generate a new ZSK every..." to have this automated as much as possible:

Note that you should "rollover" the KSK every 1-2 years. Read more about this at

28 Feb 2018 21:02 UTC
Can this be done through the HTTP API?
JH Software
2 Jul 2018 19:46 UTC
JH Software
We have just released v. 8.0 which supports this.
28 Sep 2018 11:09 UTC
Martin Frederiksen
Should there not be generated more than just 1 key, like in your guide?
Plesk DNS in ex. generates 4.
I know I can just do that, but your guide only states one :-)
JH Software
11 Oct 2018 12:15 UTC
JH Software
The guide above describes adding two keys - a KSK and a ZSK.
This is all you need to begin with.
During "rollovers" (introducing new key), you might have 3 or 4 keys.
Plesk may be using a "pre-publish" rollover scheme - where keys are introduced before actual usage.
You can do this with Simple DNS Plus too (DNSKEY-only setting), but not in an automated way.
28 Sep 2018 11:11 UTC
Martin Frederiksen
Also when testing on DNSviz i get a lot of theese:
"The server appeared to understand EDNS by including RRSIG records, but its response included no OPT record."
JH Software
11 Oct 2018 12:19 UTC
JH Software
As discussed by e-mail - this was caused by EDNS0 being disabled (Options dialog / DNS / Miscellaneous section)
9 Jul 2019 10:39 UTC
Marco Davids
Is the 'automatically DNSSEC sign zone whenever DNS records are updated'-option on by default?
Because it seems to me that it should.
What could be a valid reason to disable that option? 🤔
Thank you.
JH Software
17 Jul 2019 08:17 UTC
JH Software
It is not.
You might not want Simple DNS Plus to automatically DNSSEC sign a zone for example if you want manual control over this, or if you use an external process for signing, etc.
23 Nov 2021 02:25 UTC
New to DNSSEC and one question which is not product related. When re-newing the keys automatically, does one have to create new DS-records and add those at the registrar ? This seems counter productive to me. If you could answer that for me, I would appreciate. Thank you.
2 Jun 2022 11:02 UTC
Any plans to implement Algorithm 13 (ECDSA Curve P-256 with SHA-256) in an upcoming version?
(Never published. Used for replies and to show your Gravatar icon. Never used for any other purpose.)