CreateKeySigningKey
Creates a new key-signing key (KSK) associated with a hosted zone. You can only have two KSKs per hosted zone.
Request Syntax
POST /2013-04-01/keysigningkey HTTP/1.1
<?xml version="1.0" encoding="UTF-8"?>
<CreateKeySigningKeyRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/">
<CallerReference>string</CallerReference>
<HostedZoneId>string</HostedZoneId>
<KeyManagementServiceArn>string</KeyManagementServiceArn>
<Name>string</Name>
<Status>string</Status>
</CreateKeySigningKeyRequest>URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in XML format.
- CreateKeySigningKeyRequest
-
Root level tag for the CreateKeySigningKeyRequest parameters.
Required: Yes
- CallerReference
-
A unique string that identifies the request.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Required: Yes
- HostedZoneId
-
The unique string (ID) used to identify a hosted zone.
Type: String
Length Constraints: Maximum length of 32.
Required: Yes
- KeyManagementServiceArn
-
The Amazon resource name (ARN) for a customer managed key in AWS Key Management Service (AWS KMS). The
KeyManagementServiceArnmust be unique for each key-signing key (KSK) in a single hosted zone. To see an example ofKeyManagementServiceArnthat grants the correct permissions for DNSSEC, scroll down to Example.You must configure the customer managed customer managed key as follows:
- Status
-
Enabled
- Key spec
-
ECC_NIST_P256
- Key usage
-
Sign and verify
- Key policy
-
The key policy must give permission for the following actions:
-
DescribeKey
-
GetPublicKey
-
Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
-
"Service": "dnssec-route53.amazonaws.com"
-
For more information about working with a customer managed key in AWS KMS, see AWS Key Management Service concepts.
Type: String
Required: Yes
- Name
-
A string used to identify a key-signing key (KSK).
Namecan include numbers, letters, and underscores (_).Namemust be unique for each key-signing key in the same hosted zone.Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Required: Yes
- Status
-
A string specifying the initial status of the key-signing key (KSK). You can set the value to
ACTIVEorINACTIVE.Type: String
Length Constraints: Minimum length of 5. Maximum length of 150.
Required: Yes
Response Syntax
HTTP/1.1 201
Location: Location
<?xml version="1.0" encoding="UTF-8"?>
<CreateKeySigningKeyResponse>
<ChangeInfo>
<Comment>string</Comment>
<Id>string</Id>
<Status>string</Status>
<SubmittedAt>timestamp</SubmittedAt>
</ChangeInfo>
<KeySigningKey>
<CreatedDate>timestamp</CreatedDate>
<DigestAlgorithmMnemonic>string</DigestAlgorithmMnemonic>
<DigestAlgorithmType>integer</DigestAlgorithmType>
<DigestValue>string</DigestValue>
<DNSKEYRecord>string</DNSKEYRecord>
<DSRecord>string</DSRecord>
<Flag>integer</Flag>
<KeyTag>integer</KeyTag>
<KmsArn>string</KmsArn>
<LastModifiedDate>timestamp</LastModifiedDate>
<Name>string</Name>
<PublicKey>string</PublicKey>
<SigningAlgorithmMnemonic>string</SigningAlgorithmMnemonic>
<SigningAlgorithmType>integer</SigningAlgorithmType>
<Status>string</Status>
<StatusMessage>string</StatusMessage>
</KeySigningKey>
</CreateKeySigningKeyResponse>Response Elements
If the action is successful, the service sends back an HTTP 201 response.
The response returns the following HTTP headers.
- Location
-
The unique URL representing the new key-signing key (KSK).
Length Constraints: Maximum length of 1024.
The following data is returned in XML format by the service.
- CreateKeySigningKeyResponse
-
Root level tag for the CreateKeySigningKeyResponse parameters.
Required: Yes
- ChangeInfo
-
A complex type that describes change information about changes made to your hosted zone.
Type: ChangeInfo object
- KeySigningKey
-
The key-signing key (KSK) that the request creates.
Type: KeySigningKey object
Errors
For information about the errors that are common to all actions, see Common Errors.
- ConcurrentModification
-
Another user submitted a request to create, update, or delete the object at the same time that you did. Retry the request.
HTTP Status Code: 400
- InvalidArgument
-
Parameter name is not valid.
HTTP Status Code: 400
- InvalidInput
-
The input is not valid.
HTTP Status Code: 400
- InvalidKeySigningKeyName
-
The key-signing key (KSK) name that you specified isn't a valid name.
HTTP Status Code: 400
- InvalidKeySigningKeyStatus
-
The key-signing key (KSK) status isn't valid or another KSK has the status
INTERNAL_FAILURE.HTTP Status Code: 400
- InvalidKMSArn
-
The KeyManagementServiceArn that you specified isn't valid to use with DNSSEC signing.
HTTP Status Code: 400
- InvalidSigningStatus
-
Your hosted zone status isn't valid for this operation. In the hosted zone, change the status to enable
DNSSECor disableDNSSEC.HTTP Status Code: 400
- KeySigningKeyAlreadyExists
-
You've already created a key-signing key (KSK) with this name or with the same customer managed key ARN.
HTTP Status Code: 409
- NoSuchHostedZone
-
No hosted zone exists with the ID that you specified.
HTTP Status Code: 404
- TooManyKeySigningKeys
-
You've reached the limit for the number of key-signing keys (KSKs). Remove at least one KSK, and then try again.
HTTP Status Code: 400
Examples
KMSArn key policy example
The following is an example of a KeyManagementServiceArn key
policy that grants the correct permissions for DNSSEC.
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Allow use of the customer managed key for DNSSEC", "Effect": "Allow", "Principal": { "Service": "dnssec-route53.amazonaws.com" }, "Action": [ "kms:DescribeKey", "kms:GetPublicKey", "kms:Sign", "kms:Verify" ], "Resource": "*" }, { "Sid": "Allow full access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::1234567891234:role/admin" }, "Action": "*", "Resource": "*" } ] }
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
