Route53 1 Flashcards
DNSSEC with Route53
How do you set up the DNSSEC keys in KMS?
Create a single, asymmetric keypair (KSK)
DNSSEC with Route53
What’s the big limitation/caveat for creating the KSK in KMS?
Has to be in us-east-1
DNSSEC with Route53
How do you create the ZSK in KMS?
You don’t. Handled internally by Route53
DNSSEC with Route53
Now that you have a ZSK, how do you format the RRSIG record?
You don’t. Maintained by AWS for you.
DNSSEC with Route53
How does AWS add trust in the parent DNS domain?
You do this manually yourself
DNSSEC with Route53
How is the trust established with parent domain?
If AWS hosted zone, just click a button on the console. If not, take public KSK to Registrar manually.
DNSSEC with Route53
What other AWS service do you need to use when turning on DNSSEC?
CloudWatch Alarm on “DNSSECKeySigningKeysNeedingAction”
DNSSEC with Route53
Just completed all the DNSSEC setup steps. Now clients are failing. What’s up?
Could take hours for external Registrar to propagate, or maybe didn’t wait for TTL of existing (non-DNSSEC) records.
DNSSEC with Route53
How do you use DNSSEC with VPCs?
Turn on DNSSEC Validation for a VPC using Route53 zone that supports DNSSEC
DNSSEC with Route53
What does DNSSEC Validation actually do in a VPC?
Won’t return DNSSEC records that fail validation