Working with customer managed CMKs for DNSSEC - Amazon Route 53

Working with customer managed CMKs for DNSSEC

When you enable DNSSEC signing in Amazon Route 53 , Route 53 creates a key-signing key (KSK) for you. To create a KSK, Route 53 must use a customer managed customer master key (CMK) in AWS Key Management Service that supports DNSSEC. This section describes the details and requirements for the customer managed CMK that are helpful to know as you work with DNSSEC.

Keep the following in mind when you work with customer managed CMKs for DNSSEC:

  • The customer managed CMK that you use with DNSSEC signing must be in the US East (N. Virginia) Region.

  • The customer managed CMK must be an asymmetric CMK with an ECC_NIST_P256 key spec. These CMKs are used only for signing and verification. For help creating an asymmetric CMK, see Creating asymmetric CMKs in the AWS Key Management Service Developer Guide. For help finding the cryptographic configuration of an existing CMK, see Viewing the cryptographic configuration of CMKs in the AWS Key Management Service Developer Guide.

  • If you create a customer managed CMK yourself to use with DNSSEC in Route 53, you must include specific key policy statements that give Route 53 the required permissions. Route 53 must be able to access your customer managed CMK so that it can create a KSK for you. For more information, see Route 53 CMK permissions required for DNSSEC signing.

  • Route 53 can create a customer managed CMK for you in AWS KMS to use with DNSSEC signing without additional AWS KMS permissions. However, you must have specific permissions if you want to edit the key after it's created. The specific permissions that you must have are the following: kms:UpdateKeyDescription, kms:UpdateAlias, and kms:PutKeyPolicy.

  • Be aware that separate charges apply for each customer managed CMK that you have, whether you create the CMK or Route 53 creates it for you. For more information, see AWS Key Management Service pricing.