ZoneSigningOptions

class aws_cdk.aws_route53.ZoneSigningOptions(*, kms_key, key_signing_key_name=None)

Bases: object

Options for enabling key signing from a hosted zone.

Parameters:

• kms_key (IKey) – The customer-managed KMS key that that will be used to sign the records. The KMS Key must be unique for each KSK within a hosted zone. Additionally, the KMS key must be an asymetric customer-managed key using the ECC_NIST_P256 algorithm.

• key_signing_key_name (Optional[str]) – The name for the key signing key. This name must be unique within a hosted zone. Default: an autogenerated name

ExampleMetadata:

infused

Example:

kms_key = kms.Key(self, "KmsCMK",
    key_spec=kms.KeySpec.ECC_NIST_P256,
    key_usage=kms.KeyUsage.SIGN_VERIFY
)
hosted_zone = route53.HostedZone(self, "HostedZone",
    zone_name="example.com"
)
# Enable DNSSEC signing for the zone
hosted_zone.enable_dnssec(kms_key=kms_key)

Attributes

key_signing_key_name

The name for the key signing key.

This name must be unique within a hosted zone.

Default:

an autogenerated name

kms_key

The customer-managed KMS key that that will be used to sign the records.

The KMS Key must be unique for each KSK within a hosted zone. Additionally, the KMS key must be an asymetric customer-managed key using the ECC_NIST_P256 algorithm.

See:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-cmk-requirements.html