Custom script, which you can create here: /usr/local/directadmin/scripts/custom/dnssec_sign_post.sh If it exists, this script is called after a zone is signed, but before any clustering sends it off to the slave dns servers. Variables are: domain=domain.com return_code=0|1 do_cluster=0|1 The return_code is the success/failure of the actual signing. 1 is good, 0 means there was an error. The do_cluster is set to 1 if directadmin.conf cluster=1 AND it's a local trigger. Remote slaves get the raw copy anyway, so do_cluster=0 might only be seen if directadmin.conf cluster=0.. The only remote case would be remote per-record changes.. which I cannot recall ever doing. Possibly in the future, so just be sure you handle it if you need to do different actions based on this value. (eg: dns-01 wildcard LetsEncrypt requests) Exit status: If all is well, and you want the clustering (if enabled) to proceed, use exit code 0 If there is an error and you need it to abort the clustering push, then use any non-zero value, and the signing function call will abort after the local file is signed, but before the clustering push happens.