Enabling DNSSEC signing and establishing a chain of trust - Amazon Route 53

Enabling DNSSEC signing and establishing a chain of trust

This section provides step-by-step information for enabling and disabling DNSSEC signing in the Amazon Route 53 console. There are two steps to enabling DNSSEC signing: enabling signing and having Route 53 create a key-signing key (KSK), and establishing a chain of trust.

To enable DNSSEC signing programmatically, see Using the AWS CLI to enable DNSSEC signing.

Enabling DNSSEC signing and creating a KSK

To get started using DNSSEC signing in Route 53, you enable DNSSEC signing, and then Route 53 creates a key-signing key (KSK) for you, based on a customer managed key that you choose.

When you provide or create a customer managed KMS key, there are several requirements. For more information, see Working with customer managed keys for DNSSEC.

To enable DNSSEC signing and create a KSK

  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

  2. In the navigation pane, choose Hosted zones, and then choose a hosted zone that you want to enable DNSSEC signing for.

  3. On the DNSSEC signing tab, choose Enable DNSSEC signing.

    Note

    If the option in this section is Disable DNSSEC signing, you have already completed the first step in enabling DNSSEC signing. Be sure that you establish, or that there already exists, a chain of trust for the hosted zone for DNSSEC, and then you're done. For more information, see Establishing a chain of trust.

  4. Under KSK, enter a name for the KSK that Route 53 will create for you. The name can include numbers, letters, and underscores (_). It must be unique.

  5. Under Customer managed CMK, choose the customer managed key for Route 53 to use when it creates the KSK for you. You can use an existing customer managed key that applies to DNSSEC signing, or create a new customer managed key.

    When you provide or create a customer managed key, there are several requirements. For more information, see Working with customer managed keys for DNSSEC.

  6. Enter the alias for an existing customer managed key. If you want to use a new customer managed key, enter an alias for a customer managed key, and Route 53 will create one for you.

    Note

    If you choose to have Route 53 create a customer managed key, be aware that separate charges apply for each customer managed key. For more information, see AWS Key Management Service pricing.

  7. Choose Enable DNSSEC signing.

Establishing a chain of trust

After you enable DNSSEC signing for a hosted zone in Route 53, establish a chain of trust for the hosted zone to complete your DNSSEC signing setup. You do this by creating a Delegation Signer (DS) record in the parent hosted zone, for your hosted zone, using the information that Route 53 provides. Depending on where your domain is registered, you add the record to the parent hosted zone in Route 53 or at another domain registrar.

To establish a chain of trust for DNSSEC signing

  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

  2. In the navigation pane, choose Hosted zones, and then choose a hosted zone that you want to establish a DNSSEC chain of trust for. You must enable DNSSEC signing first.

  3. On the DNSSEC signing tab, under DNSSEC signing, choose View information to create DS record.

    Note

    If you don't see View information to create DS record in this section, then you must enable DNSSEC signing before you establish the chain of trust. Choose Enable DNSSEC signing and complete the steps, and then return to these steps to establish the chain of trust.

  4. Under Establish a chain of trust, choose either Route 53 registrar or Another domain registrar, depending on where your domain is registered.

  5. Use the provided values to create a DS record for the parent hosted zone in Route 53 or, if your domain is not hosted at Route 53, use the provided values to create a DS record at your domain registrar website.

    Make sure you that configure the correct signing algorithm (ECDSAP256SHA256 and type 13) and digest algorithm (SHA-256 and type 2).

    If Route 53 is your registrar:

    1. Note the Key type, Signing algorithm, and Public key values. In the navigation pane, choose Registered domains.

    2. Select a domain, and then, next to DNSSEC status, choose Manage keys.

    3. In the Manage DNSSEC keys dialog, choose the appropriate Key type and Algorithm for the Route 53 registrar from the dropdown menus.

    4. Copy the Public key for the Route 53 registrar. In the Manage DNSSEC keys dialog, paste the value into the Public key box.

    5. Choose Add.

      Route 53 will add the DS record to the parent zone from the public key. For example, if your domain is example.com, the DS record is added to the .com DNS zone.

  6. Wait for the updates to propagate, based on the TTL for your domain records.

Note

Your new records take time to propagate to the Route 53 DNS servers. Currently, the only way to verify that changes have propagated is to use the GetChange action. Changes generally propagate to all Route 53 name servers within 60 seconds.

Enabling DNSSEC signing with an existing KSK

If you already have at least one key-signing key (KSK), you can enable DNSSEC signing for a hosted zone using an existing KSK. Follow these steps to enable DNSSEC signing in this scenario.

To enable DNSSEC signing with an existing KSK

  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

  2. In the navigation pane, choose Hosted zones, and then choose a hosted zone that you want to enable DNSSEC signing for.

  3. On the DNSSEC signing tab, choose Enable DNSSEC signing.

    Note

    If the option in this section is Disable DNSSEC signing, you have already completed the first step in enabling DNSSEC signing. Be sure that you establish, or that there already exists, a chain of trust for the hosted zone for DNSSEC, and then you're done. For more information, see Establishing a chain of trust.

  4. Under KSK, choose Use the active KSK or Create a new KSK.

  5. If you choose to create a new KSK, enter the alias for a customer managed key that applies to DNSSEC signing, or enter an alias for a new customer managed key.

    Note

    If you choose to have Route 53 create a customer managed key, be aware that separate charges apply for each customer managed key. For more information, see AWS Key Management Service pricing.

  6. Choose Enable DNSSEC signing.