AWS Route53 DNSSEC

Description

In December 2020 AWS announced DNSSEC extension for Route53.

This feature allows to enable DNSSEC signing for all existing and new public hosted zones, and enable DNSSEC validation for Amazon Route 53 Resolver. Amazon Route 53 DNSSEC provides data origin authentication and data integrity verification for DNS. Once enabled, Route 53 cryptographically signs each record in hosted zone, manages the zone-signing key and key-signing key in AWS Key Management Service (AWS KMS).

Configs

1.Enable DNSSEC signing

Using Route53 Console, select DNSSEC signing tab, next click Enable DNSSEC signing

2.KSK creation

Route53 will create KSK based on CMK. Provide new name for KSK and details about CMK (you can create new and use existing one)

3.Chain of Trust (#1)

Select View informations to create DS record to establish Chain of Trust

4.Chain of Trust (#2)

Using Route53 Console, capture following parameters:

  • key type
  • signing algorithm
  • public key

5.Keys Management (#1)

Come back to Register Domains, click your domain to display details

6.Keys Management (#2)

Go to DNSSEC Status area and click Manage Keys

7.Keys Management (#3)

Add new key using data captured in step #4

Test Area

8.DNSSEC Route53 notification

Using Route53 Console check notifications related to your domain. You should see one with information that DNSSEC has been added successfully.

9.Confirm DNSSEC deployment using external tools (#1)

Verify DNSSEC configuration using dnssec-analyzer.verisignlabs.com

10.Confirm DNSSEC deployment using external tools (#2)

Verify DNSSEC configuration using dnsviz.net/

me@radkowski.pro