How do I configure DNSSEC for my subdomain registered with Route 53 or another registrar?

2 minute read
0

I want to configure Domain Name System Security Extensions (DNSSEC) for my domain name registered with Amazon Route 53 or another registrar.

Short description

To turn on DNSSEC signing for your domain, you must: first on DNSSEC signing and create a key-signing key (KSK). Then, establish a chain of trust by registering the Delegation Signer (DS) record with the parent hosted zone in Route 53.

Important: For top-level domains (TLD), see How do I turn on DNSSEC on my domain with Amazon Route 53 and register a DS record?

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

1.    Follow the steps to turn on DNSSEC signing, and then create a KSK.

2.    Confirm that your parent hosted zone is in the SIGNING status.

3.    Follow the steps to establish a chain of trust.

Note: In the AWS CLI, you can use the get-dnssec command to get the DS record of your parent hosted zone. Example output from the get-dnssec command:

$ aws route53 get-dnssec --hosted-zone-id Zyyyyyyyyyyyyyyyyyyyy
{
    "Status": {
        "ServeSignature": "SIGNING"
    },
    "KeySigningKeys": [
        {
            "Name": "forKnowledgeCenter",
            "KmsArn": "arn:aws:kms:us-east-1:nnnnnnnnnnnn:key/4a7a9720-91b5-49d5-8069-79634593a1b9",
            "Flag": 257,
            "SigningAlgorithmMnemonic": "ECDSAP256SHA256",
            "SigningAlgorithmType": 13,
            "DigestAlgorithmMnemonic": "SHA-256",
            "DigestAlgorithmType": 2,
            "KeyTag": 1101,
            "DigestValue": "57BB41C3E5F8606F64D6926D4EA80A2D5139FCD029828CDE00E94D78882819DE",
            "PublicKey": "ELfupc8RXEcoLl8AZiDX6LOInJMc1h7MDnuIEAWzJIG6vOB0QAOfRzFHT15WwGzXPZKqrTkSSTm+CSQlIfCWbg==",
            "DSRecord": "1101 13 2 57BB41C3E5F8606F64D6926D4EA80A2D5139FCD029828CDE00E94D78882819DE",
            "DNSKEYRecord": "257 3 13 ELfupc8RXEcoLl8AZiDX6LOInJMc1h7MDnuIEAWzJIG6vOB0QAOfRzFHT15WwGzXPZKqrTkSSTm+CSQlIfCWbg==",
            "Status": "ACTIVE",
            "CreatedDate": "2020-12-21T13:58:49.719000+00:00",
            "LastModifiedDate": "2020-12-21T13:58:49.719000+00:00"
        }
    ]
}

4.    Complete the following steps to register the DS record with your parent hosted zone:

Open the Route 53 console.
In the navigation pane, choose Hosted zones.
Select the name of your parent hosted zone.
Choose Create record.
For Routing policy, choose Simple routing.
For Record type, choose DS - Delegation Signer.
For Record name, enter the name of the domain or subdomain that you want to route traffic for. The default value is the name of the hosted zone.
For Value, specify the DS Record value obtained from step 3. The format is [key tag] [signing algorithm type] [digest algorithm type] [digest].
For TTL, specify 3600 seconds.

Related information

Troubleshooting DNSSEC signing

AWS OFFICIAL
AWS OFFICIALUpdated a year ago