LogoفارسیFA

Managing DNS Records in DirectAdmin – Complete Practical Guide for Administrators

DirectAdmin provides a powerful DNS management system that allows administrators to control TTL values, create SRV records, enable DNSSEC, manage subdomain delegation, automate TLSA records, and perform mass DNS updates. This guide explains all essential DNS operations in DirectAdmin with real-world examples and best practices.

directadmin

~4 min read • Updated Mar 1, 2026

1. How to Lower TTL Before Changing an IP (Minimize Downtime)


When changing a domain’s IP address, it’s best to temporarily reduce the TTL so DNS propagation happens faster. This prevents long downtime caused by cached DNS records.

Global method (affects all records):

Step 1: Disable per-record TTL


da config-set dns_ttl 0 --restart

Step 2: Set a low default TTL (e.g., 300 seconds)


da config-set default_ttl 300 --restart

Step 3: Rewrite all DNS zones


/usr/local/directadmin/directadmin taskq --run "action=rewrite&value=named" --debug 2000

Step 4: After the IP change, restore original values


da config-set dns_ttl 1 --restart
da config-set default_ttl 14400 --restart
/usr/local/directadmin/directadmin taskq --run "action=rewrite&value=named" --debug 2000

Note: This method changes TTL for all records. If you only want to modify TTL for a specific record (A, MX, etc.), edit it manually in DNS Management.

---

2. How to Add an SRV Record in DirectAdmin


SRV records are used for services like SIP, XMPP, LDAP, etc.

SRV format:


_service._proto.name TTL class SRV priority weight port target

Example in DirectAdmin:

Left side (Name):


_sip._tcp.example.com.

Right side (Value):


0 5 5060 sipserver.example.com.

How to add:

  1. User Level → DNS Management → domain.com
  2. Add Record
  3. Type: SRV
  4. Name: _sip._tcp (or full name with dot)
  5. Value: 0 5 5060 sipserver.example.com.
  6. TTL: optional (e.g., 14400)

Important: If the name ends with a dot, DirectAdmin will NOT append the domain automatically. If it does not end with a dot, the domain is appended automatically.

---

3. Enabling DNSSEC for Domains


Prerequisite:


da config-set dnssec 1 --restart

Enable DNSSEC for a domain:

  1. Admin Level → DNS Admin → domain.com
  2. Click Generate Keys
  3. Click Sign
  4. Copy the DS records shown at the bottom
  5. Add DS records to your domain registrar (Namecheap, GoDaddy, etc.)

Note for RHEL 9 / AlmaLinux 9 / Rocky 9: Only one DS record is generated—use that one.

---

Disable DNSSEC (full removal):

From DNS Admin → Remove Keys

Or manually (older versions):


rm /var/named/domain.com.ksk.*
rm /var/named/domain.com.zsk.*
rm /var/named/domain.com.db.signed
rm /var/named/dsset-domain.com.

Edit named.conf to switch zone back to .db instead of .signed, then:


systemctl restart named
---

4. DNSSEC for Subdomain Delegation


If the subdomain is created as a full domain (not a standard subdomain), you must maintain the chain of trust.

Steps:

  1. Enable DNSSEC for the subdomain (Generate Keys + Sign)
  2. Add the generated DS records to the parent zone (domain.com)
  3. Add NS records in the parent zone:

sub.domain.com. NS ns1.domain.com.
sub.domain.com. NS ns2.domain.com.
  1. Click Sign again in the parent zone

Allow regular users to manage DNSSEC:


da config-set user_dnssec_control 1 --restart
---

5. Automatically Adding TLSA Records with Let's Encrypt (DANE)


Warning: DANE for SMTP is still unreliable. Use this only for HTTPS (port 443).

Step 1: Create script set_tlsa.sh


nano /usr/local/directadmin/scripts/custom/set_tlsa.sh

Content:


#!/bin/sh
DOMAIN=$1
TQ=/usr/local/directadmin/data/task.queue
DTQ=/usr/local/directadmin/dataskq

if [ -z "$DOMAIN" ] || [ ! -d "/etc/virtual/$DOMAIN" ]; then
    echo "$DOMAIN is not valid"
    exit 1
fi

wget -O lets-encrypt-x3-cross-signed.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
V=$(openssl x509 -in lets-encrypt-x3-cross-signed.pem -outform DER | openssl dgst -sha256 -hex | awk '{print "2 0 1", $NF}')

echo "action=dns&do=delete&domain=${DOMAIN}&type=TLSA&name=le-ca&value=*" >> $TQ
echo "action=dns&do=delete&domain=${DOMAIN}&type=CNAME&name=_443._tcp&value=*" >> $TQ

echo "action=dns&do=add&domain=${DOMAIN}&type=TLSA&name=le-ca&value=$V" >> $TQ
echo "action=dns&do=add&domain=${DOMAIN}&type=CNAME&name=_443._tcp&value=le-ca" >> $TQ
echo 'action=named&value=reload' >> $TQ

exit 0


chmod 755 /usr/local/directadmin/scripts/custom/set_tlsa.sh
---

Step 2: Create Let's Encrypt post-hook


nano /usr/local/directadmin/scripts/custom/letsencrypt_post.sh

Content:


#!/bin/sh
/usr/local/directadmin/scripts/custom/set_tlsa.sh $domain
exit 0


chmod 755 /usr/local/directadmin/scripts/custom/letsencrypt_post.sh
---

6. Mass DNS Changes (TTL, NS, SPF, A Records, etc.)


Example: Change all “mail” A records to new IP 1.2.3.4


cd /var/named
tar cvzf /root/dns_backup.tar.gz *.db
perl -pi -e 's/^mail\s+14400\s+IN\s+A\s+.*$/mail\t14400\tIN\tA\t1.2.3.4/' *.db

Rewrite zones:


echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d400
---

Change SPF for all domains to “-all”


perl -pi -e 's/~all/-all/' *.db
---

Add a new record to all domains


for d in *.db; do
    domain=${d%.db}
    echo "myrecord 14400 IN A 1.2.3.4" >> $d
done

Written & researched by Dr. Shahin Siami

Next Article