DNSSEC Support - Nameserver Upgrade

We have now upgraded our nameserver clusters in both the UK, and the USA to support DNSSEC.

We have changed our DNS clusters to use PowerDNS as opposed to BIND, which also has some performance benefits on the resolution of domains.

DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography. With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data.

Every DNS zone has a public/private key pair. The zone owner uses the zone's private key to sign DNS data in the zone and generate digital signatures over that data. As the name "private key" implies, this key material is kept secret by the zone owner. The zone's public key, however, is published in the zone itself for anyone to retrieve. Any recursive resolver that looks up data in the zone also retrieves the zone's public key, which it uses to validate the authenticity of the DNS data. The resolver confirms that the digital signature over the DNS data it retrieved is valid. If so, the DNS data is legitimate and is returned to the user. If the signature does not validate, the resolver assumes an attack, discards the data, and returns an error to the user.

DNSSEC adds two important features to the DNS protocol:

Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated. Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key. cPanel users can create, manage, or delete their domains’ DNSSEC keys in cPanel’s Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor).

To validate the DNSSEC configuration for a domain, use Verisign’s DNSSEC Anaylzer website - https://dnssec-analyzer.verisignlabs.com/

AutoSSL - Patch Fix

We have received a number of reports from clients, where SSL certificates have not been installed, or have stalled through the AutoSSL procedure.

We have an extensive conversation earlier today with one of the Senior Techs at cPanel, who have confirmed a bug. This bug only takes place when AutoSSL attempts to enqueue larger quantities of subdomain / domains through their daily cron, which eventually hangs / never completes.

The expected release time for the patch was 100 days, which of course wasn't acceptable in our case.

Given their delay in terms of releasing a patch fix, we have decided to write a fix in-house for this, which after thorough testing resolves the issue.

Once cPanel release an official patch for this, or release in an upcoming version our patch-fix will be removed, in place of their own solution.

For now, AutoSSL is now working again as expected.

R1Soft - https Now Enabled

We had a number of reports that R1Soft was redirecting to a non-secure port / port 80 from the cPanel plugin.

We have now installed SSL certificates on all backup servers, and have enabled redirection to 8443, the new https:// port.

Website Preview - Plugin Changes

We have made some changes to the way our 'Website Preview' option works in cPanel.

Previously, this plugin would generate a temporary URL, and would patch any WordPress installations with a 'fix' which allowed the domain to be previewed through any domain (including the preview URL).

The option though was fairly basic, and only supported preview of the 'primary' domain on an account. It also didn't work where a site has a dedicated IP address.

We have changed this functionality, to leverage the 'https://skipdns.link/' service, and now generate a link automatically for any site through the plugin.

This option is still available through cPanel -> Website Preview

cPanel USA - New Server Deployed

Due to high demand, we have now deployed another US based cPanel server. This is available immediately for new orders.

Resource Boost - Increase Resources for an account

We are pleased to inform you that our 'Resource Boost' option is now available in our client area.

This option will only appear for cPanel or DirectAdmin reseller accounts, and will allow you to 'Boost' any cPanel account for just £5.95 per month.

To add this to any account, you can navigate to 'Services -> Select your Service -> Scroll to 'Boost an Account' or go to addons

cPanel Reseller - Pro 200 Plan

We are pleased to announce that we have now made available a 'Pro 200' plan for our cPanel Reseller Hosting.

cPanel Reseller - Pro 150 Plan

We are pleased to announce that we have now made available a 'Pro 150' plan for our cPanel Reseller Hosting.

This has been introduced to ease the upgrade from the Pro 100 plan, rather than requiring an increase directly to the Pro 250.

This product is available as an 'Upgrade' for any users on plans 100 or lower.

We have also added this product to the 'Reseller Elite' module, allowing you to resell this through WHMCS.

AutoSSL / SSL Certificate Handling

We are pleased to announce we have now rolled out some significant changes to the way in which SSL certificates are handled.

For many years, we have used the 'FleetSSL' plugin for installing SSL certificates, however, due to some recent cPanel upgrades/changes and a lack of updates from the software vendors at FleetSSL, we have seen a number of clients raise issues with failed renewals.

The issue was caused by some incompatibilities between the solutions, which has led us to completely remove the previously used FleetSSL plugin from cPanel.

We have now enabled the recommended solution developed by cPanel, which is the 'AutoSSL' functionality using the Sectigo SSL's as opposed to LetsEncrypt. There are a number of reasons for the change, however what we can assure you is that both LetsEncrypt and the Sectigo SSL's are identical in all ways, and offer identical levels of protection. The core reason for the change is that LetsEncrypt imposes fairly strict Rate Limits, preventing / failing some installations from completing before expiry when used on larger servers.

The process of installing SSL's has been simplified, in most cases requiring no interaction on your part. The purpose of AutoSSL, is that we will as a provider automatically check for SSL's which are expiring, and will automatically replace those SSL's, ensuring your sites remain secure.

Once you enable AutoSSL, your websites are automatically secured with a free, Domain Validated SSL certificate. Perhaps more exciting is the fact that your coverage will never lapse, because at expiration time a new, free SSL is requested and automatically installed.

In terms of the change, you aren't required to do anything. We have taken care of implementation on all accounts/servers for you.

If you are a reseller and wish to disable AutoSSL for a particular client, you can do so via the 'Feature Manager' in WHM.

Please note that existing LetsEncrypt certificates will remain in-tact, until the SSL's are due to expire. 3 days before expiry, the new SSL certificates will be installed automatically.

If you wish to skip this process and want to install the new SSL immediately, then you can do so by going to cPanel -> SSL / TLS and uninstalling your existing certificates. Following this, you can then run AutoSSL manually for the account by going to cPanel -> SSL / TLS Status, and clicking the 'Run AutoSSL' option for the account.

Internal Monitoring Changes

We were previously monitoring the 'hostname' for endpoints, however it is sometimes possible that we would disable, or 'null' the hostname / default page in cPanel from being accessed directly for attack mitigation.

As such, we have modified our monitoring solution to always monitor a Wordpress installation at a new endpoint, hosted on each machine. This provides a higher level of accuracy over the previous method.

Please note that we are not fully dependant on these monitors. We instead monitor through a server-level suite, which checks over 250 metrics every 15 seconds, so we will still be alerted to normal issues outside of the scope of an http request.

This ensures we can maintain the highest possible standard in terms of uptime monitoring and availability throughout.