Menu
We are trying to decide which DNS hosting solution to use. Today we use Power DNS and we want to move to a hosted DNS solution. The best solution for us would be using Amazon's Route 53 for this. We are mandated to use DNSSEC for our DNS solution and I have been trying to understand what Amazon's DNS supports and what it doesn't.
Amazon's site says:
Amazon Route 53 supports DNSSEC for domain registration but does not support DNSSEC for DNS service. If you want to configure DNSSEC for a domain that is registered with Amazon Route 53, you must use another DNS service provider.
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html
Can anyone explain what this means? In particular what is supported and what isn't as well as what does using another DNS service provider for a domain that is registered with Route 53 mean.
750
Amazon's domain name registrar, Route 53 Domains, already supports DNSSEC, and customers can now register domains and host their DNS on Route 53 with DNSSEC signing enabled.
AWS now supports DNS Security Extensions (DNSSEC) signing on public zones for Amazon Route 53 and validation for Amazon Route 53 Resolver. DNSSEC is a specification that provides data integrity assurance for DNS and helps customers meet compliance mandates (for example, FedRAMP and security standards such as NIST).
Route 53 offers two¹ different services:
Those two services have no necessary connection to each other. You can register a domain with any accredited registrar (for example, let's say Go Daddy), and still host the DNS with Route 53... or you can register a domain with Route 53 and still host the DNS elsewhere (for example, let's say Dyn)... or you can use Route 53 for both services, since they are independent.
Amazon Route 53 supports DNSSEC for domain registration
So, if you register a domain with the Route 53 Registrar, it can be configured to use DNSSEC...
but does not support DNSSEC for DNS service.
...but not if you use Route 53 hosted zones for authoritative DNS hosting, which does not support DNSSEC, regardless of who the registrar is.
Therefore...
If you want to configure DNSSEC for a domain that is registered with Amazon Route 53, you must use another DNS service provider
...to host your authoritative DNS records. You can't use a Route 53 hosted zone with DNSSEC.
¹ two different services that are relevant here. The emphasis is intended to be on different, because many other service providers blur the distinction between domain registration and authoritative DNS hosting to the point that many users seem unaware that they can almost always be decoupled, in at least one direction, regardless of the providers in question. Also under the "Route 53" banner are other services like Route 53 Resolver (which deals primarily with recursive querying in VPC and/or on-premise) and Route 53 Health Checks (which can be used as a basis for DNS failover as well as for other health-checking and latency-measuring purposes that can be but aren't necessarily even DNS related).
165
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
