DeactivateKeySigningKey

Deactivates a key-signing key (KSK) so that it will not be used for signing by DNSSEC. This operation changes the KSK status to INACTIVE.

Request Syntax

POST /2013-04-01/keysigningkey/HostedZoneId/Name/deactivate HTTP/1.1

URI Request Parameters

The request uses the following URI parameters.

HostedZoneId

A unique string used to identify a hosted zone.

Length Constraints: Maximum length of 32.

Required: Yes

Name

A string used to identify a key-signing key (KSK).

Length Constraints: Minimum length of 3. Maximum length of 128.

Required: Yes

Request Body

The request does not have a request body.

Response Syntax

HTTP/1.1 200
<?xml version="1.0" encoding="UTF-8"?>
<DeactivateKeySigningKeyResponse>
   <ChangeInfo>
      <Comment>string</Comment>
      <Id>string</Id>
      <Status>string</Status>
      <SubmittedAt>timestamp</SubmittedAt>
   </ChangeInfo>
</DeactivateKeySigningKeyResponse>

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in XML format by the service.

DeactivateKeySigningKeyResponse

Root level tag for the DeactivateKeySigningKeyResponse parameters.

Required: Yes

ChangeInfo

A complex type that describes change information about changes made to your hosted zone.

Type: ChangeInfo object

Errors

For information about the errors that are common to all actions, see Common Errors.

ConcurrentModification

Another user submitted a request to create, update, or delete the object at the same time that you did. Retry the request.

HTTP Status Code: 400

InvalidInput

The input is not valid.

HTTP Status Code: 400

InvalidKeySigningKeyStatus

The key-signing key (KSK) status isn't valid or another KSK has the status INTERNAL_FAILURE.

HTTP Status Code: 400

InvalidSigningStatus

Your hosted zone status isn't valid for this operation. In the hosted zone, change the status to enable DNSSEC or disable DNSSEC.

HTTP Status Code: 400

KeySigningKeyInParentDSRecord

The key-signing key (KSK) is specified in a parent DS record.

HTTP Status Code: 400

KeySigningKeyInUse

The key-signing key (KSK) that you specified can't be deactivated because it's the only KSK for a currently-enabled DNSSEC. Disable DNSSEC signing, or add or enable another KSK.

HTTP Status Code: 400

NoSuchKeySigningKey

The specified key-signing key (KSK) doesn't exist.

HTTP Status Code: 404

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go v2

• AWS SDK for Java V2

• AWS SDK for JavaScript V3

• AWS SDK for PHP V3

• AWS SDK for Python

• AWS SDK for Ruby V3