Route53 1 Flashcards

1
Q

DNSSEC with Route53

How do you set up the DNSSEC keys in KMS?

A

Create a single, asymmetric keypair (KSK)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

DNSSEC with Route53

What’s the big limitation/caveat for creating the KSK in KMS?

A

Has to be in us-east-1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

DNSSEC with Route53

How do you create the ZSK in KMS?

A

You don’t. Handled internally by Route53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

DNSSEC with Route53

Now that you have a ZSK, how do you format the RRSIG record?

A

You don’t. Maintained by AWS for you.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DNSSEC with Route53

How does AWS add trust in the parent DNS domain?

A

You do this manually yourself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

DNSSEC with Route53

How is the trust established with parent domain?

A

If AWS hosted zone, just click a button on the console. If not, take public KSK to Registrar manually.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

DNSSEC with Route53

What other AWS service do you need to use when turning on DNSSEC?

A

CloudWatch Alarm on “DNSSECKeySigningKeysNeedingAction”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

DNSSEC with Route53

Just completed all the DNSSEC setup steps. Now clients are failing. What’s up?

A

Could take hours for external Registrar to propagate, or maybe didn’t wait for TTL of existing (non-DNSSEC) records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DNSSEC with Route53

How do you use DNSSEC with VPCs?

A

Turn on DNSSEC Validation for a VPC using Route53 zone that supports DNSSEC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DNSSEC with Route53

What does DNSSEC Validation actually do in a VPC?

A

Won’t return DNSSEC records that fail validation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly