Defaults.Exposed › Setup › DNSSEC

How to set up DNSSEC on AWS Route 53

Enable DNSSEC signing in Route 53 with a KMS key and add the DS record at your registrar so no one can forge your DNS answers.

Why this matters to your business

When someone visits your website or sends you email, their computer first asks the DNS system for the right address. Those answers normally travel unsigned, so an attacker able to tamper with the lookup can quietly redirect your visitors to a fake site or reroute your email to their own server — while your real domain still appears in the address bar.

DNSSEC prevents this. It cryptographically signs your DNS answers, so anyone looking you up can prove the answer genuinely came from you and was not altered in transit. In plain terms: it blocks domain hijacking and cache poisoning, the attacks that turn your own domain against your customers. It is free of charge as a feature (the signing key uses a small AWS KMS key, which carries a minor monthly cost), and it is one of the strongest protections you can enable.

How DNSSEC works on Route 53

Route 53 splits the job in a way that is worth understanding before you start:

• Route 53 signs your hosted zone using a key stored in AWS KMS (Key Management Service). Turning on signing publishes the public keys (a DNSKEY) and produces a DS record.
• Your registrar — the company you renew the domain with — must then publish that DS record in the parent zone (for example .com) so the rest of the internet trusts the signatures.

If you registered the domain through Route 53 (Amazon Registrar), the registrar step is still required, but it is done within the AWS console. If your registrar is a different company, you copy the DS record there by hand.

The real risk — do this carefully

DNSSEC can take your whole domain offline if it is misconfigured. The two ways that happens:

• A DS record at the registrar that does not match the key Route 53 is signing with.
• Disabling signing, deleting the KMS key, or moving DNS away from Route 53 without first removing the DS record at the registrar — the stale DS record keeps demanding signatures that no longer exist, and lookups fail.

Follow the order below exactly. And if you ever migrate DNS off Route 53, remove the DS record at the registrar and disable signing first, then move.

Confirm Route 53 runs your DNS

This only works if Route 53 is answering DNS for your domain. Check that your domain’s nameservers point to the four Route 53 nameservers listed for your hosted zone. Open the Route 53 console, go to Hosted zones, open your domain, and note the NS record values — your registrar’s nameserver setting must match these. If your nameservers point elsewhere, enable DNSSEC at whichever provider runs your DNS instead.

Step-by-step on Route 53

1. Sign in to the AWS console and open Route 53.
2. Go to Hosted zones and open the hosted zone for your domain.
3. Open the DNSSEC signing tab and choose Enable DNSSEC signing.
4. For the key-signing key (KSK), you must provide a customer managed KMS key:
   • Choose Create customer managed key (or select an existing eligible one).
   • The key must be an asymmetric key with usage Sign and verify, using the ECC_NIST_P256 spec, and it must be in the US East (N. Virginia) us-east-1 region — Route 53 DNSSEC requires the key in that region.
   • Give the KSK a name.
5. Confirm and enable signing. Route 53 now signs the hosted zone.
6. Still on the DNSSEC signing tab, find DS record / Establish a chain of trust. Route 53 displays the values you need, including Key Tag, Signing algorithm, Digest algorithm, and the Digest (and often a ready-made DS record line).
7. Now go to your registrar and add the DS record:
   • If the domain is registered in Route 53 (Amazon Registrar): the console can walk you through it under the domain’s settings — or copy the values into the domain’s DNSSEC section.
   • If your registrar is a different company: open its DNSSEC / DS record section and enter the values from step 6 exactly — Key Tag, Algorithm (typically 13), Digest Type (typically 2), and the Digest.
8. Save at the registrar. The chain of trust is complete once the DS record is accepted in the parent zone.

Route 53 quirks people get wrong

• The KMS key must be in us-east-1. Route 53 DNSSEC will not accept a KSK key from another region — this trips people up first.
• Use the right key type. It must be an asymmetric, sign-and-verify, ECC_NIST_P256 KMS key. A symmetric or wrong-spec key will not work as a KSK.
• Two systems, not one. Enabling signing in Route 53 alone does nothing on its own — the DS record must also reach the registrar. People stop after step 5 and wonder why it never validates.
• Copy the digest exactly. One wrong character in the Digest means the registrar’s DS record will not match Route 53’s signing key — the exact misconfiguration that takes a domain offline. Paste, never retype.
• Do not delete the KMS key while signing is active. And never remove the DS record at the registrar while Route 53 is still signing.
• Disable in the right order before moving DNS. To migrate away: remove the DS record at the registrar, wait for it to clear, then disable signing in Route 53 — not the other way round.
• Give it time. DNSSEC changes can take from minutes up to a day to fully propagate and validate.

Verify it worked

Once signing is enabled in Route 53 and the DS record is in place at your registrar, run the free check on this site. It will tell you in plain language whether DNSSEC is correctly published and trusted for your domain.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.