August 23, 2021

Route 53 DNSSEC

I love security and love to keep my systems security. I have been using capabilities such as SPF and DKIM records and more recently DMARC records and ensuring I have quality SSL setup on my web server and testing using and ensuring I have quality headers too and test using

Now that Route 53 supports DNSSEC ( I figured it was about time I enabled it.

You can find some information about DNSSEC and enabling on your domain by following the AWS blog post:

Here is how I did it for my domain (the one you are reading this on).

First go to the route 53 console and click on DNSSEC signing in your domain details page:

No Key signing keys yet

Here you can create your key signing keys using a KMS CMK. You can either use an existing key or create a new one.

Start by creating your key signing key

Once the keys are created you need to get the DS records:

Created KSK

Now update your registrar with the DS record information:

DS Record information

My domain is registered in Route 53, so it’s a simple case of going to my domain in the registrar and clicking on Manage keys next to the DNSSEC status.

Registrar Details

Copy the key type, algorithm and public key from the DS record information:

Update the keys at the registrar

Then click save:


Now got and test:

DNSSEC Test Results

Of course the devil is in the detail, and make sure you understand the consequences before enabling DNSSEC. But hopefully I’ve shown you how easy it is to enabled DNSSEC in Route 53.

© Greg Cockburn

Powered by Hugo & Kiss.