How do I configure DNSSEC for my subdomain registered with Route 53 or another registrar?

Last updated: 2021-04-20

How can I configure Domain Name System Security Extensions (DNSSEC) for my subdomain registered with Amazon Route 53 or another registrar?

Short description

To enable DNSSEC signing for your subdomain, you must:

1.    Enable DNSSEC signing and create a key-signing key (KSK)

2.    Establish a chain of trust by registering the Delegation Signer (DS) record with the parent hosted zone in Route 53


Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    Follow the steps to enable DNSSEC signing, and then create a KSK.

2.    Confirm that your parent hosted zone is in the SIGNING status.

3.    Follow the steps to establish a chain of trust.

Note: In the AWS CLI, you can use the get-dnssec command to get the DS record of your parent hosted zone. Example output from the get-dnssec command:

$ aws route53 get-dnssec --hosted-zone-id Zyyyyyyyyyyyyyyyyyyyy
    "Status": {
        "ServeSignature": "SIGNING"
    "KeySigningKeys": [
            "Name": "forKnowledgeCenter",
            "KmsArn": "arn:aws:kms:us-east-1:nnnnnnnnnnnn:key/4a7a9720-91b5-49d5-8069-79634593a1b9",
            "Flag": 257,
            "SigningAlgorithmMnemonic": "ECDSAP256SHA256",
            "SigningAlgorithmType": 13,
            "DigestAlgorithmMnemonic": "SHA-256",
            "DigestAlgorithmType": 2,
            "KeyTag": 1101,
            "DigestValue": "57BB41C3E5F8606F64D6926D4EA80A2D5139FCD029828CDE00E94D78882819DE",
            "PublicKey": "ELfupc8RXEcoLl8AZiDX6LOInJMc1h7MDnuIEAWzJIG6vOB0QAOfRzFHT15WwGzXPZKqrTkSSTm+CSQlIfCWbg==",
            "DSRecord": "1101 13 2 57BB41C3E5F8606F64D6926D4EA80A2D5139FCD029828CDE00E94D78882819DE",
            "DNSKEYRecord": "257 3 13 ELfupc8RXEcoLl8AZiDX6LOInJMc1h7MDnuIEAWzJIG6vOB0QAOfRzFHT15WwGzXPZKqrTkSSTm+CSQlIfCWbg==",
            "Status": "ACTIVE",
            "CreatedDate": "2020-12-21T13:58:49.719000+00:00",
            "LastModifiedDate": "2020-12-21T13:58:49.719000+00:00"

4.    Complete the following to register the DS record with your parent hosted zone:

Open the Route 53 console.
In the navigation pane, choose Hosted zones.
Select the name of your parent hosted zone.
Choose Create record.
For Routing policy, choose Simple routing.
For Record type, choose DS - Delegation Signer.
For Record name,
For value, specify your values using the format [key tag] [algorithm] [digest type] [digest].
For TTL, specify 3600 seconds.

Did this article help?

Do you need billing or technical support?