Working with customer managed keys for DNSSEC
When you enable DNSSEC signing in Amazon Route 53, Route 53 creates a key-signing key (KSK) for you. To create a KSK, Route 53 must use a customer managed key in AWS Key Management Service that supports DNSSEC. This section describes the details and requirements for the customer managed key that are helpful to know as you work with DNSSEC.
Keep the following in mind when you work with customer managed keys for DNSSEC:
The customer managed key that you use with DNSSEC signing must be in the US East (N. Virginia) Region.
The customer managed key must be an asymmetric customer managed key with an ECC_NIST_P256 key spec. These customer managed keys are used only for signing and verification. For help creating an asymmetric customer managed key, see Creating asymmetric customer managed keys in the AWS Key Management Service Developer Guide. For help finding the cryptographic configuration of an existing customer managed key, see Viewing the cryptographic configuration of customer managed keys in the AWS Key Management Service Developer Guide.
If you create a customer managed key yourself to use with DNSSEC in Route 53, you must include specific key policy statements that give Route 53 the required permissions. Route 53 must be able to access your customer managed key so that it can create a KSK for you. For more information, see Route 53 customer managed key permissions required for DNSSEC signing.
Route 53 can create a customer managed key for you in AWS KMS to use with DNSSEC signing without additional AWS KMS permissions. However, you must have specific permissions if you want to edit the key after it's created. The specific permissions that you must have are the following:
kms:UpdateKeyDescription,kms:UpdateAlias, andkms:PutKeyPolicy.Be aware that separate charges apply for each customer managed key that you have, whether you create the customer managed key or Route 53 creates it for you. For more information, see AWS Key Management Service pricing
.
