NovaPanel
Features Pricing Docs Changelog Customer portal Discord GitHub
Get Pro
Docs

Configure DNS for a new domain

Two paths: use NovaPanel's PowerDNS as authoritative, or keep DNS at your registrar and just point the right records. Plus DNSSEC if you want it.

Two ways to do DNS

When you add a domain to NovaPanel you have a choice:

  1. NovaPanel-managed (PowerDNS). Make NovaPanel authoritative for the domain. Manage records in the panel, no registrar logins needed for ongoing changes. Required for DNSSEC.
  2. Registrar-managed. Leave DNS at Cloudflare / Route 53 / your registrar. NovaPanel just hosts the site, mail, etc — DNS records live elsewhere.

Most operators pick option 2 for production (registrar DNS is robust, free, no extra moving parts) and option 1 for resold-hosting setups where the customer wants single-pane-of-glass DNS management.

Option 2 — Registrar-managed DNS (the simple path)

At your registrar, set these records: 

; A record for the bare domain
@        A     203.0.113.42        ; your panel's IPv4

; AAAA if you have IPv6
@        AAAA  2001:db8::1

; www subdomain
www      A     203.0.113.42

; MX for mail (only if NovaPanel handles mail for this domain)
@        MX    10 mail.example.com.

; SPF / DKIM / DMARC — see the email-setup guide
@        TXT   "v=spf1 mx ~all"
panel._domainkey  TXT  "..."
_dmarc   TXT   "..."

Caddy on the panel will provision a Let's Encrypt cert for the domain within seconds of the first HTTPS request once DNS resolves. Mail might take 5-30 minutes to propagate; HTTP traffic arrives faster.

Option 1 — PowerDNS-managed (NovaPanel authoritative)

At the registrar

Set the domain's nameservers to point at your panel: 

ns1.example.com   → A → 203.0.113.42
ns2.example.com   → A → 203.0.113.42  ; same IP is fine for now

Most registrars also need glue records — they ask "what's the IP of ns1.example.com?" so resolvers don't end up in a circular lookup. Set those at the registrar.

In NovaPanel

Admin → Domains → Add domain → tick Use built-in PowerDNS. The panel creates a zone with the standard SOA / NS / A records pre-filled.

Then admin → Domains → <domain> → DNS to add records. The UI handles A / AAAA / CNAME / MX / TXT / SRV / NS / PTR. Everything goes through PowerDNS's API — no zone-file editing.

DNSSEC (PowerDNS-managed only)

DNSSEC needs the panel to be authoritative — won't work if you're using registrar DNS.

Enable in the panel

Admin → Domains → <domain> → DNS → DNSSEC: On. The panel:

  • Generates a Key-Signing Key (KSK) and Zone-Signing Key (ZSK).
  • Signs all existing records.
  • Sets up automatic ZSK rotation (default: every 90 days).
  • Surfaces the DS record value you need to publish at your registrar.

Publish the DS record at the registrar

This is the only step that has to happen outside the panel. The DS record proves the chain of trust from the parent zone (.com) down to your zone. Without it, DNSSEC is enabled but resolvers can't verify the chain.

Copy the DS record from the DNSSEC page and paste it into your registrar's DS / "DNSSEC keys" interface. Most major registrars (Namecheap, Gandi, Cloudflare-as-registrar, Hover) support this; some smaller ones don't.

Verify

After ~30 minutes for propagation, run dnsviz.net against your domain. You want a clean, fully-green chain. Yellow means "DNSSEC enabled but DS record missing or wrong."

Zone transfers (AXFR) & hidden-master setups

For higher availability you can run NovaPanel as a hidden master and use external secondaries (e.g., Hurricane Electric's free service). The secondaries pull the zone from your panel over AXFR, and you delegate the public-facing nameservers to them instead of to the panel — so the panel's IP isn't a single point of failure for DNS.

For all zones at once (recommended): admin → Nameservers → Secondary DNS. List your secondary nameservers (one IP or CIDR per line) and save — NovaPanel pushes that list to every zone's ALLOW-AXFR-FROM and ALSO-NOTIFY, and applies it automatically to any zone created afterwards. This is the setting to use when you run a fixed set of secondaries for the whole panel.

For a single zone: admin → DNS Zones → click the zone → Zone Transfers. Same input (IPs/CIDRs, one per line). Use this for a per-zone exception. Note that saving the global Secondary DNS list overwrites per-zone overrides, since the global list is treated as the source of truth whenever it's saved.

Either way, then:

  • Configure each secondary's "slave zone" interface pointing at your panel's IP.
  • Update registrar nameservers to point at the secondaries (not at your panel).

Transfers are disabled by default — an empty list means no one can AXFR the zone, which is what you want unless you explicitly run secondaries. Only list servers you control: anyone who can transfer a zone can read every record in it. The panel accepts only literal IPs and CIDRs (no hostnames), and "allow everything" ranges like 0.0.0.0/0 are rejected. Single IPs also get an ALSO-NOTIFY so the secondary re-pulls on every change; CIDR ranges may transfer but aren't notified.

Wildcard SSL (DNS-01)

Because the panel runs its own DNS, it can issue *.example.com wildcard certificates using the ACME DNS-01 challenge — something HTTP-01 can't do. In the customer panel, on SSL Certificates, click Wildcard next to a domain. Caddy then solves the challenge by writing a temporary TXT record into PowerDNS via its API and obtains a cert covering both the apex and all subdomains.

This requires a Caddy build that includes the PowerDNS DNS module (caddy-dns/powerdns). The installer compiles it in automatically, so every new install — and any server you (re-)run the installer on — has it. If DNS-01 isn't available, the Wildcard button returns a clear error and ordinary single-host certificates keep working over HTTP-01 as before.

Upgrading an older server? Panels first installed before wildcard support shipped auto-update the panel binary on their own, but the binary update does not rebuild Caddy — so the PowerDNS module won't be present yet. Re-run the installer once to rebuild Caddy with it (it's safe to re-run and skips steps that are already done): 

curl -fsSL https://license.novapanel.dev/install.sh | sudo bash

Confirm the module is present with caddy list-modules | grep powerdns — you want to see dns.providers.powerdns.

Common issues

"Records show in the panel but resolvers see nothing"

PowerDNS isn't being queried. Either the registrar's NS records don't point at your panel (option 1 setup incomplete), or the panel's public IP is firewalled on UDP 53. Test with: dig @your-panel-ip example.com.

"DNSSEC validation failing"

Almost always the DS record at the registrar doesn't match what the panel published. Re-copy from the panel; sometimes registrar UIs eat newlines or expect a slightly different format (algorithm number vs name).