How to enable DNSSEC Signing in Route53 using AWS CLI

Pragti Chauhan
Feature image


DNSSEC signing lets DNS resolvers validate that a DNS response has not been tampered with. When you enable DNSSEC signing, Route 53 automatically creates a key-signing key (KSK) for you, based on the customer-managed customer master key (CMK) in AWS Key Management Service (AWS KMS) that you choose. The KSK is a cryptographic public-private key pair that signs the DNSKEY. The process is completed by creating a Delegation Signer (DS) record for the parent zone of the zone. This creates the required chain of trust for the hosted zone.

Using DNSSEC increases trust between the user and the target AWS account. It ensures that the integrity of the DNS record has not been tampered with and users are receiving information from the correct source. In the absence of DNSSEC, some network applications may warn that the response is not cryptographically signed which could lower the trust that the user has with the application resulting in potential customer churn owing to compliance, regulatory requirements or based on the lowered trust with the system.

In this article we will take a look at how we can enable DNSSEC signing in Route53 using AWS CLI.

Note: Before you enable DNSSEC signing, make sure you read the pre-requisites and prepare for enabling DNSSEC signing to minimise the risk of zone outages.

Enable DNSSEC signing in Route53 using AWS CLI

Following are the steps to enable DNSSEC signing in Route53 using AWS CLI:

  1. To list the hosted zones in your AWS account, run the following command

    aws route53 list-hosted-zones

    List Hosted Zones

  2. To check the DNSSEC signing status for a selected hosted zone, run following command

    aws route53 get-dnssec --hosted-zone-id <hosted_zone_ID> --query "Status.ServeSignature"

    Check DNSSEC signing status

  3. Create a new Key Signing Key (KSK) and associate it with the Amazon Route53 public hosted zone for which you want to enable DNSSEC signing. Before providing the ARN for customer-managed CMK in the key-management-service-arn parameter, make sure that you have created one that fulfills these requirements

    aws route53 create-key-signing-key --region <region_name> --hosted-zone-id <hosted_zone_ID> --name <KSK_name> --status ACTIVE --key-management-service-arn <key_management_service_arn> --caller-reference <caller_reference>

    Create Key Signing Key

  4. Enable DNSSEC signing for the selected public hosted zone by running the following command

    aws route53 enable-hosted-zone-dnssec --region <region_name> --hosted-zone-id <hosted_zone_ID>

    Enable DNSSEC Signing

  5. To check if the DNSSEC signing status updated for the selected hosted zone, run the command from step 2 again. We can see that the status has now updated to Signing which means that the DNSSEC signing has been enabled for the selected hosted zone

    aws route53 get-dnssec --hosted-zone-id <hosted_zone_ID> --query "Status.ServeSignature"

    DNSSEC signing enabled

  6. To complete the DNSSEC signing setup for the hosted zone, we need to establish a chain of trust. Login to your AWS account and navigate to the DNSSEC signing tab of the selected hosted zone on Route53 dashboard and click on View information to create DS record. Follow the instructions under Establish a chain of trust section to complete the DNSSEC signing setup for the hosted zone or follow this document from AWS for guidance on establishing a chain of trust

← Back to Academy