Amazon Route 53 DNSSEC support

Route 53 offers two¹ different services:

  • a DNS hosting provider, providing authoritative DNS hosting in hosted zones
  • a domain registrar, allowing you to register new domains for use on the Internet (or transfer the registration of existing domains so that your annual registration fees are consolidated into your AWS account bill)

Those two services have no necessary connection to each other. You can register a domain with any accredited registrar (for example, let's say GoDaddy), and still host the DNS with Route 53... or you can register a domain with Route 53 and still host the DNS elsewhere (for example, let's say Dyn)... or you can use Route 53 for both services, since they are independent.

Amazon Route 53 supports DNSSEC for domain registration

So, if you register a domain with the Route 53 Registrar, it can be configured to use DNSSEC...

but does not support DNSSEC for DNS service.

...but not if you use Route 53 hosted zones for authoritative DNS hosting, which does not support DNSSEC, regardless of who the registrar is.

Therefore...

If you want to configure DNSSEC for a domain that is registered with Amazon Route 53, you must use another DNS service provider

...to host your authoritative DNS records. You can't use a Route 53 hosted zone with DNSSEC.

¹ two different services that are relevant here. The emphasis is intended to be on different, because many other service providers blur the distinction between domain registration and authoritative DNS hosting to the point that many users seem unaware that they can almost always be decoupled, in at least one direction, regardless of the providers in question. Also under the "Route 53" banner are other services like Route 53 Resolver (which deals primarily with recursive querying in VPC and/or on-premise) and Route 53 Health Checks (which can be used as a basis for DNS failover as well as for other health-checking and latency-measuring purposes that can be but aren't necessarily even DNS related).


DNSSEC is now supported by AWS Route 53 for both DNSSEC signing (Hosting service) and domain registration (Registrar service).

Please follow the official guide to configure DNSSEC signing of the hosted zone here https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec.html

Tags:

Dns

Amazon Route53

Dnssec

Powerdns

Recent Posts