You can sign your Route 53 hosted zone with DNSSEC, but it’s not a simple on/off switch; it’s a process that involves key generation, delegation, and careful validation.
Let’s see this in action. Imagine you have a domain, example.com, and you want to secure its DNS records using DNSSEC. First, you’ll need to enable DNSSEC signing for your Route 53 hosted zone.
aws route53 create-hosted-zone --name example.com --caller-reference 20231027001 --hosted-zone-config Comment="My signed zone"
This command creates the hosted zone. Now, to enable DNSSEC signing, you use the change-tags-for-resource API call, but it’s not directly for enabling signing. Instead, you’ll first need to create a Key Signing Key (KSK) and a Zone Signing Key (ZSK) within Route 53.
aws route53 create-key-signing-key --hosted-zone-id Z1XXXXXXXXXXXX --key-management-service-arn arn:aws:kms:us-east-1:111122223333:key/a1b2c3d4-e5f6-7890-1234-567890abcdef --name-key-signing-key example-com-ksk --caller-reference example-com-ksk-ref
Once the KSK and ZSK are created, Route 53 automatically starts signing your zone. The KSK is used to sign the ZSK, and the ZSK is used to sign your actual DNS records (like A, MX, CNAME, etc.). This creates a chain of trust.
The crucial part is the delegation. Route 53 provides you with the DS (Delegation Signer) record information for your KSK. You must take this information and publish it with your domain registrar. This is how the rest of the internet knows to trust the signature generated by Route 53 for example.com.
For example, the DS record might look something like this (you get the specific values from Route 53):
- Key Tag: 12345
- Algorithm: 13 (ECDSAP256SHA256)
- Digest Type: 2 (SHA-256)
- Digest: a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef
You’d go to your registrar (e.g., GoDaddy, Namecheap) and find the DNSSEC management section for example.com. There, you’d add a DS record with these exact values. Without this step, DNSSEC won’t be fully functional, and resolvers won’t be able to validate your zone’s authenticity.
Route 53 manages the KSK and ZSK rotation automatically. The KSK typically rotates annually, and the ZSK rotates every few months. This ensures that your keys don’t expire unexpectedly and compromise your DNS resolution. You can check the status of your DNSSEC signing and key rotation within the Route 53 console.
The system handles the generation of RRSIG (Resource Record Set Signature) records for all your existing DNS records and automatically generates new RRSIG records as you add or modify records. NSEC (Next Secure) or NSEC3 (Next Secure 3) records are also automatically generated to prove the absence of records.
The real power comes from the fact that resolvers can follow the chain of trust from the root zone, down through your TLD (.com, .org, etc.), and finally to your domain’s DS record, which points to your KSK in Route 53. This allows them to verify that the DNS responses they receive for example.com are indeed authentic and haven’t been tampered with.
The most counterintuitive aspect of DNSSEC with Route 53 is how it interacts with DNSSEC-unaware registrars. If your registrar doesn’t support DNSSEC, you simply cannot publish the DS record, and thus cannot complete the DNSSEC chain of trust. This means even if Route 53 is signing your zone perfectly, the internet at large won’t be able to validate it.
Once you’ve successfully enabled DNSSEC signing and published your DS records, the next challenge is monitoring and troubleshooting validation failures, which can manifest as SERVFAIL errors for your domain.