How do I enable DNSSEC on my domain with Route 53 and register a DS record?

Last updated: 2022-03-08

I want to enable Domain Name System Security Extensions (DNSSEC) for my domain registered with Amazon Route 53 through a registrar.

Short description

To enable DNSSEC on your domain registered with Route 53, you must register your Delegation Signer (DS) record through a registrar that manages your domain name.

Important: If your domain is a second-level domain (SLD), see How do I configure DNSSEC for my subdomain registered with Route 53 or another registrar?


Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    Confirm that your parent hosted zone is in the SIGNING status.

2.    In the AWS CLI, use the get-dnssec command to get the key-signing keys (KSKs) public key and DS record of your parent hosted zone. Example output from the get-dnssec command:

$ aws route53 get-dnssec --hosted-zone-id Zxxxxxxxxxxxxxxxxxxxx
    "Status": {
        "ServeSignature": "SIGNING"
    "KeySigningKeys": [
            "Name": "forKnowledgeCenter",
            "KmsArn": "arn:aws:kms:us-east-1:nnnnnnnnnnnn:key/4a7a9720-91b5-49d5-8069-79634593a1b9",
            "Flag": 257,
            "SigningAlgorithmMnemonic": "ECDSAP256SHA256",
            "SigningAlgorithmType": 13,
            "DigestAlgorithmMnemonic": "SHA-256",
            "DigestAlgorithmType": 2,
            "KeyTag": 1101,
            "DigestValue": "000E2A1C338464CD62AB72843612660CEF8E1FB2F221555DB4E31F1FBD14DD5F",
            "PublicKey": "ELfupc8RXEcoLl8AZiDX6LOInJMc1h7MDnuIEAWzJIG6vOB0QAOfRzFHT15WwGzXPZKqrTkSSTm+CSQlIfCWbg==",
            "DSRecord": "1101 13 2 000E2A1C338464CD62AB72843612660CEF8E1FB2F221555DB4E31F1FBD14DD5F",
            "DNSKEYRecord": "257 3 13 ELfupc8RXEcoLl8AZiDX6LOInJMc1h7MDnuIEAWzJIG6vOB0QAOfRzFHT15WwGzXPZKqrTkSSTm+CSQlIfCWbg==",
            "Status": "ACTIVE",
            "CreatedDate": "2020-12-21T13:11:47.974000+00:00",
            "LastModifiedDate": "2020-12-21T13:11:47.974000+00:00"

Complete the following steps to register the KSK public key and DS record with your parent hosted zone.

If your registrar is Route 53, register the KSK public key and DS record with Route 53 domains:

1.    Open the Route 53 console.

2.    In the navigation pane, choose Registered domains.

3.    Follow the instructions for Enabling DNSSEC signing and establishing a chain of trust.


  • API:AddDnssec is supported only with the AWS Management Console
  • Choose Key type : 257 - KSK
  • Choose Algorithm : 13 - ECDSAP256SHA256

If your registrar isn't Route 53, then register the KSK public key and DS record with your registrar. The domain registrar forwards the public key and the algorithm to the registry for the top-level domain (TLD). Note that the DS record is a digest of the KSK public key.

Did this article help?

Do you need billing or technical support?