How do I configure DNSSEC for my subdomain registered with Route 53 or another registrar?

Last updated: 2021-04-20

How can I configure Domain Name System Security Extensions (DNSSEC) for my domain name registered with Amazon Route 53 or another registrar?

Short description

To enable DNSSEC signing for your domain, you must:

1.    Enable DNSSEC signing and create a key-signing key (KSK)

2.    Establish a chain of trust by registering the Delegation Signer (DS) record with the parent hosted zone in Route 53

Important: If your domain is a top-level domain (TLD), see How do I enable DNSSEC on my domain with Route 53 and register a DS record?

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    Follow the steps to enable DNSSEC signing, and then create a KSK.

2.    Confirm that your parent hosted zone is in the SIGNING status.

3.    Follow the steps to establish a chain of trust.

Note: In the AWS CLI, you can use the get-dnssec command to get the DS record of your parent hosted zone. Example output from the get-dnssec command:

$ aws route53 get-dnssec --hosted-zone-id Zyyyyyyyyyyyyyyyyyyyy
{
    "Status": {
        "ServeSignature": "SIGNING"
    },
    "KeySigningKeys": [
        {
            "Name": "forKnowledgeCenter",
            "KmsArn": "arn:aws:kms:us-east-1:nnnnnnnnnnnn:key/4a7a9720-91b5-49d5-8069-79634593a1b9",
            "Flag": 257,
            "SigningAlgorithmMnemonic": "ECDSAP256SHA256",
            "SigningAlgorithmType": 13,
            "DigestAlgorithmMnemonic": "SHA-256",
            "DigestAlgorithmType": 2,
            "KeyTag": 1101,
            "DigestValue": "57BB41C3E5F8606F64D6926D4EA80A2D5139FCD029828CDE00E94D78882819DE",
            "PublicKey": "ELfupc8RXEcoLl8AZiDX6LOInJMc1h7MDnuIEAWzJIG6vOB0QAOfRzFHT15WwGzXPZKqrTkSSTm+CSQlIfCWbg==",
            "DSRecord": "1101 13 2 57BB41C3E5F8606F64D6926D4EA80A2D5139FCD029828CDE00E94D78882819DE",
            "DNSKEYRecord": "257 3 13 ELfupc8RXEcoLl8AZiDX6LOInJMc1h7MDnuIEAWzJIG6vOB0QAOfRzFHT15WwGzXPZKqrTkSSTm+CSQlIfCWbg==",
            "Status": "ACTIVE",
            "CreatedDate": "2020-12-21T13:58:49.719000+00:00",
            "LastModifiedDate": "2020-12-21T13:58:49.719000+00:00"
        }
    ]
}

4.    Complete the following to register the DS record with your parent hosted zone:

Open the Route 53 console.
In the navigation pane, choose Hosted zones.
Select the name of your parent hosted zone.
Choose Create record.
For Routing policy, choose Simple routing.
For Record type, choose DS - Delegation Signer.
For Record name, enter the name of the domain or subdomain that you want to route traffic for. The default value is the name of the hosted zone.
Note: If you're creating a record that has the same name as the hosted zone, leave the Record name field blank.
For value, specify your values using the format [key tag] [algorithm] [digest type] [digest].
For TTL, specify 3600 seconds.

Did this article help?


Do you need billing or technical support?