NovaPanel
Features Pricing Docs Changelog Customer portal Discord GitHub
Get Pro
Docs

Configure DNS for a new domain

Two paths: use NovaPanel's PowerDNS as authoritative, or keep DNS at your registrar and just point the right records. Plus DNSSEC if you want it.

Two ways to do DNS

When you add a domain to NovaPanel you have a choice:

  1. NovaPanel-managed (PowerDNS). Make NovaPanel authoritative for the domain. Manage records in the panel, no registrar logins needed for ongoing changes. Required for DNSSEC.
  2. Registrar-managed. Leave DNS at Cloudflare / Route 53 / your registrar. NovaPanel just hosts the site, mail, etc — DNS records live elsewhere.

Most operators pick option 2 for production (registrar DNS is robust, free, no extra moving parts) and option 1 for resold-hosting setups where the customer wants single-pane-of-glass DNS management.

Option 2 — Registrar-managed DNS (the simple path)

At your registrar, set these records: 

; A record for the bare domain
@        A     203.0.113.42        ; your panel's IPv4

; AAAA if you have IPv6
@        AAAA  2001:db8::1

; www subdomain
www      A     203.0.113.42

; MX for mail (only if NovaPanel handles mail for this domain)
@        MX    10 mail.example.com.

; SPF / DKIM / DMARC — see the email-setup guide
@        TXT   "v=spf1 mx ~all"
panel._domainkey  TXT  "..."
_dmarc   TXT   "..."

Caddy on the panel will provision a Let's Encrypt cert for the domain within seconds of the first HTTPS request once DNS resolves. Mail might take 5-30 minutes to propagate; HTTP traffic arrives faster.

Option 1 — PowerDNS-managed (NovaPanel authoritative)

At the registrar

Set the domain's nameservers to point at your panel: 

ns1.example.com   → A → 203.0.113.42
ns2.example.com   → A → 203.0.113.42  ; same IP is fine for now

Most registrars also need glue records — they ask "what's the IP of ns1.example.com?" so resolvers don't end up in a circular lookup. Set those at the registrar.

In NovaPanel

Admin → Domains → Add domain → tick Use built-in PowerDNS. The panel creates a zone with the standard SOA / NS / A records pre-filled.

Then admin → Domains → <domain> → DNS to add records. The UI handles A / AAAA / CNAME / MX / TXT / SRV / NS / PTR. Everything goes through PowerDNS's API — no zone-file editing.

DNSSEC (PowerDNS-managed only)

DNSSEC needs the panel to be authoritative — won't work if you're using registrar DNS.

Enable in the panel

Admin → Domains → <domain> → DNS → DNSSEC: On. The panel:

  • Generates a Key-Signing Key (KSK) and Zone-Signing Key (ZSK).
  • Signs all existing records.
  • Sets up automatic ZSK rotation (default: every 90 days).
  • Surfaces the DS record value you need to publish at your registrar.

Publish the DS record at the registrar

This is the only step that has to happen outside the panel. The DS record proves the chain of trust from the parent zone (.com) down to your zone. Without it, DNSSEC is enabled but resolvers can't verify the chain.

Copy the DS record from the DNSSEC page and paste it into your registrar's DS / "DNSSEC keys" interface. Most major registrars (Namecheap, Gandi, Cloudflare-as-registrar, Hover) support this; some smaller ones don't.

Verify

After ~30 minutes for propagation, run dnsviz.net against your domain. You want a clean, fully-green chain. Yellow means "DNSSEC enabled but DS record missing or wrong."

Slave / hidden-master setups

For higher availability you can run NovaPanel as a hidden master and use external secondaries (e.g., Hurricane Electric's free service):

  • Admin → Domains → <domain> → DNS → AXFR allow — set the secondary's IP.
  • Configure the secondary's "slave zone" interface pointing at your panel's IP.
  • Update registrar nameservers to point at the secondaries (not at your panel).

The panel still has the records, secondaries pull them via AXFR, and the public-facing nameservers are whoever you delegate to. Useful if you want the panel's IP not to be a single point of failure for DNS.

Common issues

"Records show in the panel but resolvers see nothing"

PowerDNS isn't being queried. Either the registrar's NS records don't point at your panel (option 1 setup incomplete), or the panel's public IP is firewalled on UDP 53. Test with: dig @your-panel-ip example.com.

"DNSSEC validation failing"

Almost always the DS record at the registrar doesn't match what the panel published. Re-copy from the panel; sometimes registrar UIs eat newlines or expect a slightly different format (algorithm number vs name).