← Return to Guides

Enabling DNSSEC on AWS Route 53

Complete guide to configure DNSSEC on Amazon Route 53 DNS service

Prerequisites

  • AWS account with Route 53 access
  • Hosted zone configured in Route 53
  • IAM permissions for Route 53 DNSSEC operations
  • Access to your domain registrar's control panel

Step 1: Enable DNSSEC Signing

  1. Log in to AWS Console and navigate to Route 53
  2. Select Hosted zones from the left menu
  3. Click on your domain's hosted zone
  4. Click the DNSSEC signing tab
  5. Click Enable DNSSEC signing
  6. Choose Create a new KSK or use an existing one
  7. Select the key signing key (KSK) - Route 53 will generate one if needed
  8. Click Enable DNSSEC signing to confirm

Step 2: Configure KSK (Key Signing Key)

Route 53 uses AWS KMS (Key Management Service) to manage your KSK:

  1. If creating a new KSK, choose your KMS key or create a new one
  2. Select the key type (symmetric or asymmetric)
  3. Configure key rotation settings (recommended: enable automatic rotation)
  4. Set appropriate IAM permissions for the KMS key

Note: Route 53 charges for KMS key usage. Review AWS pricing for KMS operations.

Step 3: Get DS Records

After enabling DNSSEC signing, Route 53 will generate DS records:

  1. In the DNSSEC signing tab, you'll see the DS record section
  2. Copy the DS record(s) - Route 53 typically provides one DS record
  3. The format will be: example.com. IN DS key-tag algorithm digest-type digest

Step 4: Add DS Records to Registrar

Add the DS record to your domain registrar:

  1. Log in to your domain registrar's control panel
  2. Navigate to DNSSEC or DS record settings
  3. Add the DS record from Route 53
  4. Save changes

Step 5: Verify DNSSEC

Wait 15-30 minutes for propagation, then verify:

  • Use our DNSSEC checker
  • Check Route 53 console - DNSSEC status should show "Enabled"
  • Verify DS records are published: dig DS example.com

Route 53 DNSSEC Features

  • KMS Integration: Uses AWS KMS for secure key management
  • Automatic Signing: All DNS records are automatically signed
  • NSEC3: Uses NSEC3 for authenticated denial
  • Algorithm 13: Uses ECDSAP256SHA256 by default
  • Key Rotation: Supports automatic KSK rotation via KMS

Cost Considerations

  • KMS key usage charges apply
  • Route 53 DNSSEC signing is included in hosted zone pricing
  • No additional charges for DNSKEY or RRSIG records
  • Review AWS pricing calculator for accurate costs

Troubleshooting

DNSSEC Not Enabling

Check IAM permissions for Route 53 and KMS. Ensure you have route53:EnableDNSSECand KMS key permissions.

Validation Failures

Verify DS records are correctly added at registrar. Use our chain verifier to check each link.

KMS Key Issues

Ensure KMS key is in the same region as your hosted zone. Check key policy allows Route 53 service to use it.

Next Steps