How do I turn on DNSSEC on my domain with Route 53 and register a DS record?

2 minute read
0

I want to turn on Domain Name System Security Extensions (DNSSEC) for my domain registered with Amazon Route 53 through a registrar.

Resolution

To turn on DNSSEC on your domain registered with Route 53, register your Delegation Signer (DS) record through a registrar that manages your domain name.

Important: If your domain is a second-level domain (SLD), see How do I configure DNSSEC for my subdomain registered with Route 53 or another registrar?

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    Confirm that your parent hosted zone is in the SIGNING status.

2.    In the AWS CLI, use the get-dnssec command to get the key-signing keys (KSKs) public key and DS record of your parent hosted zone. Example output from the get-dnssec command:

$ aws route53 get-dnssec --hosted-zone-id Zxxxxxxxxxxxxxxxxxxxx
{
  "Status": {
    "ServeSignature": "SIGNING"
  },
  "KeySigningKeys": [
    {
      "Name": "forKnowledgeCenter",
      "KmsArn": "arn:aws:kms:us-east-1:nnnnnnnnnnnn:key/4a7a9720-91b5-49d5-8069-79634593a1b9",
      "Flag": 257,
      "SigningAlgorithmMnemonic": "ECDSAP256SHA256",
      "SigningAlgorithmType": 13,
      "DigestAlgorithmMnemonic": "SHA-256",
      "DigestAlgorithmType": 2,
      "KeyTag": 1101,
      "DigestValue": "000E2A1C338464CD62AB72843612660CEF8E1FB2F221555DB4E31F1FBD14DD5F",
      "PublicKey": "ELfupc8RXEcoLl8AZiDX6LOInJMc1h7MDnuIEAWzJIG6vOB0QAOfRzFHT15WwGzXPZKqrTkSSTm+CSQlIfCWbg==",
      "DSRecord": "1101 13 2 000E2A1C338464CD62AB72843612660CEF8E1FB2F221555DB4E31F1FBD14DD5F",
      "DNSKEYRecord": "257 3 13 ELfupc8RXEcoLl8AZiDX6LOInJMc1h7MDnuIEAWzJIG6vOB0QAOfRzFHT15WwGzXPZKqrTkSSTm+CSQlIfCWbg==",
      "Status": "ACTIVE",
      "CreatedDate": "2020-12-21T13:11:47.974000+00:00",
      "LastModifiedDate": "2020-12-21T13:11:47.974000+00:00"
    }
  ]
}

Complete the following steps to register the KSK public key and DS record with your parent hosted zone.

If your registrar is Route 53, then register the KSK public key and DS record with Route 53 domains.

1.    Open the Route 53 console.

2.    In the navigation pane, choose Registered domains.

3.    Follow the instructions for Turning on DNSSEC signing and establishing a chain of trust.

Note:

  • API:AddDnssec is supported only through the AWS Management Console.
  • Choose Key type: 257 - KSK
  • Choose Algorithm: 13 - ECDSAP256SHA256

If your registrar isn't Amazon Route 53, then register the KSK public key and DS record with your registrar. The domain registrar forwards the public key and the algorithm to the registry for the top-level domain (TLD). Note that the DS record is a digest of the KSK public key.

Related information

Configuring DNSSEC signing and validation with Amazon Route 53

Troubleshooting DNSSEC signing

AWS OFFICIAL
AWS OFFICIALUpdated a year ago