Disabling DNSSEC signing
The steps for disabling DNSSEC signing in Route 53 vary, depending on the chain of trust that your hosted zone is part of.
For example, your hosted zone might have a parent zone that has a Delegation Signer (DS) record, as part of a chain of trust. Your hosted zone might also be itself a parent zone for child zones that have enabled DNSSEC signing, which is another part of the chain of trust. Investigate and determine the full chain of trust for your hosted zone before you take the steps to disable DNSSEC signing.
The chain of trust for your hosted zone that enables DNSSEC signing must be carefully undone as you disable signing. To remove your hosted zone from the chain of trust, you remove all DS records that are in place for the chain of trust that includes this hosted zone. This means that you must do the following, in order:
-
Remove any DS records that this hosted zone has for child zones that are part of a chain of trust.
-
Remove the DS record from the parent zone. Skip this step if you have an island of trust (there are no DS records in the parent zone and no DS records for child zones in this zone).
If you are not able to remove DS records, in order to remove the zone from the chain of trust, remove NS records from the parent zone. For more information, see Adding or changing name servers and glue records for a domain.
The following incremental steps allow you to monitor the effectiveness of the individual steps to avoid DNS availability issues in your zone.
To disable DNSSEC signing
-
Monitor zone availability.
You can monitor the zone for the availability of your domain names. This can help you address any issues that might warrant rolling a step back after you enable DNSSEC signing. You can monitor for your domain names with most traffic by using query logging. For more information about setting up query logging, see Monitoring Amazon Route 53.
The monitoring can be done through a shell script, or through a paid service. It shouldn't, however, be the only signal to determine if a rollback is required. You might also get feedback from your customers due to a domain not being available.
-
Find the current DS TTL.
You can find the DS TTL by running the following Unix command:
dig -t DS example.com
example.com
-
Find the maximum NS TTL.
There are 2 sets of NS records associated with your zones:
-
The delegation NS record — this is the NS record for your zone held by the parent zone. You can find this by running the following Unix commands:
First find the NS of your parent zone (if your zone is example.com, the parent zone is com):
dig -t NS com
Pick one of the NS records and then run the following:
dig @
one of the NS records of your parent zone
-t NS example.comFor example:
dig @b.gtld-servers.net. -t NS example.com
-
The in-zone NS record — this is the NS record in your zone. You can find this by running the following Unix command:
dig @
one of the NS records of your zone
-t NS example.comFor example:
dig @ns-0000.awsdns-00.co.uk. -t NS example.com
Note the maximum TTL for both zones.
-
-
Remove the DS record from the parent zone.
Contact the parent zone owner to remove the DS record.
Rollback: re-insert the DS record, confirm DS insertion is effective, and wait for the maximum NS (not DS) TTL before all resolvers will start validating again.
-
Confirm the DS removal is effective.
If the parent zone is on Route 53 DNS service, the parent zone owner can confirm full propagation through the GetChange API.
Otherwise, you can periodically probe the parent zone for the DS record, and then wait another 10 minutes afterwards to increase the probability of the DS record removal being fully propagated. Do note that some registrars have scheduled DS removal, for example once a day.
-
Wait for the DS TTL.
Wait until all resolvers have expired the DS record from their caches.
-
Disable DNSSEC signing and deactivate the key-signing key (KSK).
Rollback: call ActivateKeySigningKey and EnableHostedZoneDNSSEC APIs.
For example:
aws --region us-east-1 route53 activate-key-signing-key \ --hosted-zone-id $hostedzone_id --name $ksk_name aws --region us-east-1 route53 enable-hosted-zone-dnssec \ --hosted-zone-id $hostedzone_id
-
Confirm disabling zone signing is effective.
Use the Id from the
EnableHostedZoneDNSSEC()
call to run GetChange to make sure that all Route 53 DNS Servers have stopped signing responses (status =INSYNC
). -
Observe name resolution.
You should observe that there are no issues resulting in resolvers validating your zone. Allow 1-2 weeks to also account for the time needed for your customers to report problems to you.
-
(Optional) Clean up.
If you will not re-enable signing, you can clean up the KSKs through DeleteKeySigningKey and delete the corresponding customer managed key to save costs.