Route53 DNSSEC Configuration

DNSSEC stands for DNS Security Extensions and was developed by the IETF.
DNSSEC adds digital signatures to DNS records to ensure that response records are generated by legitimate administrators and that they have not been tampered with. It is an effective countermeasure against DNS spoofing, as typified by DNS cache poisoning.

AWS Route 53 supports DNSSEC. The following is a step-by-step guide to setting up DNSSEC.

Before DNSSEC signing

Check the status of DNSSEC signing in the DNSSEC Analyzer.If there is no digital signature, a red symbols is displayed.

DNSSEC settings

1. Open the Route 53 Console.

2. Choose Hosted Zones in the left pane.

3. Choose the target Domain name.
   
   

4. Choose DNSSEC signing tab.
   
   

5. Choose Enable DNSSEC signing on the right side of the screen.
   
   
   

6. Create KSK.

   • Enter KSK name.
   • Choose Create customer managed CMK.
   • Enter CMK name.
   • Choose Create KSK and enable signing.
     
     

7. After a few moments, DNSSEC signing was successfully enabled. message appears at the top of the screen.
   
   

8. Choose View information to create DS record on the right side of the screen.
   
   
   

9. Establish a chain of trust is displayed.Note the following items.

   • Flags
   • Signing algorithm
   • Public key
     
     

10. Choose Registered domains in the left pane.

11. Choose the target Domain name.
    
    
    

12. Choose Manage Keys on the right side of the screen.
    
    
    

13. Enter Key type Algorithm Public key and choose Add.
    
    
    

14. A message is displayed that the request was successfully submitted, and an email is also sent.

15. After a few moments, Disabled disappears from DNSSEC status.
    

After DNSSEC signing

Check the status of DNSSEC signing again in the DNSSEC Analyzer.After setting DNSSEC, all symbols are now green.