Route53 1

Question 1

DNSSEC with Route53

How do you set up the DNSSEC keys in KMS?

Answer 1

Create a single, asymmetric keypair (KSK)

Question 2

DNSSEC with Route53

What’s the big limitation/caveat for creating the KSK in KMS?

Answer 2

Has to be in us-east-1

Question 3

DNSSEC with Route53

How do you create the ZSK in KMS?

Answer 3

You don’t. Handled internally by Route53

Question 4

DNSSEC with Route53

Now that you have a ZSK, how do you format the RRSIG record?

Answer 4

You don’t. Maintained by AWS for you.

Question 5

DNSSEC with Route53

How does AWS add trust in the parent DNS domain?

Answer 5

You do this manually yourself

Question 6

DNSSEC with Route53

How is the trust established with parent domain?

Answer 6

If AWS hosted zone, just click a button on the console. If not, take public KSK to Registrar manually.

Question 7

DNSSEC with Route53

What other AWS service do you need to use when turning on DNSSEC?

Answer 7

CloudWatch Alarm on “DNSSECKeySigningKeysNeedingAction”

Question 8

DNSSEC with Route53

Just completed all the DNSSEC setup steps. Now clients are failing. What’s up?

Answer 8

Could take hours for external Registrar to propagate, or maybe didn’t wait for TTL of existing (non-DNSSEC) records.

Question 9

DNSSEC with Route53

How do you use DNSSEC with VPCs?

Answer 9

Turn on DNSSEC Validation for a VPC using Route53 zone that supports DNSSEC

Question 10

DNSSEC with Route53

What does DNSSEC Validation actually do in a VPC?

Answer 10

Won’t return DNSSEC records that fail validation