AWS DNSSEC is a specification that helps customers meet compliance requirements by ensuring DNS data integrity.

Bobcares responds to all queries, large and small, as part of our AWS support services.

Let’s take a closer look at AWS DNSSEC.

AWS DNSSEC

AWS supports DNS Security Extensions (DNSSEC) signing and validation for Amazon Route 53 Resolver on public zones.

Route 53 adds cryptographic signatures to our DNS records when we enable DNSSEC signing for a hosted zone. Signing, on the other hand, is insufficient to secure our zone. We must also establish a trust chain with the zone.

The resolver validates those signatures when we enable DNSSEC validation for our VPC in Route 53 Resolver, confirming that no one tampered with the record. This shields us from DNS spoofing, cache poisoning, and other DNS-related man-in-the-middle attacks.

DNSSEC configuration prerequisites and maximums

Our domain and DNS service provider must meet the following requirements to configure DNSSEC for a domain:

• DNSSEC must be supported by the TLD registry. See Domains that we can register with Amazon Route 53 to see if the registry for your TLD supports DNSSEC.
• DNSSEC must be supported by the domain’s DNS service provider.
• Before we can add public keys to Route 53, we need to configure DNSSEC with our domain’s DNS service provider.
• The maximum number of public keys we can add to a domain is determined by the TLD. All other domains can have four keys, while “.com and.net” domains can have up to thirteen.

Adding public keys for a domain

Perform the following procedure after configuring DNSSEC with the domain’s DNS service provider when rotating keys or enabling DNSSEC for a domain.

1. Firstly, log in to the AWS Management Console first. Then go to https://console.aws.amazon.com/route53/ to access the Route 53 console.
2. Then, select Registered domains from the navigation panel.
3. Choose the domain name for which we want to add keys.
4. Choose Manage keys from the DNSSEC status field.
5. Then, choose : Key type,Algorithm and Public key
6. Finally, Choose Add.
7. We receive an email from the registrant contact for the domain when Route 53 receives a response from the registry. The email either confirms or explains why the public key could not be added to the domain at the registry.

Enabling DNSSEC validation in Amazon Route 53

In Amazon Route 53, DNSSEC validation only applies to public signed names, not forwarded zones.

To enable DNSSEC validation for a VPC

1. Firstly, Log in to the AWS Management Console first.
2. Then, go to https://console.aws.amazon.com/route53/ to access the Route 53 console.
3. Select VPCs from the Resolver menu in the navigation panel.
4. Select the checkbox for DNSSEC validation. To disable DNSSEC validation, clear the checkbox if it is already selected.

It’s worth noting that enabling or disabling DNSSEC validation can take quite some time.

[Looking for a solution to another query? We are just a click away.]

Conclusion

To sum up, our knowledgeable engineers demonstrated DNSSEC configuration, adding public keys to a domain, and enabling DNSSEC validation in Amazon Route 53.