Configure DNSSEC Manually in AWS Route 53

Steps to help prevent domain spoofing using the AWS Console

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Google Security | AWS Security | DNS Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post on this topic I linked to the documentation and sorted out the steps to set up DNSSEC on AWS Route 53.

DNSSec in AWS Route 53 and Google Domains

Protect against DNS spoofing and improve email security

medium.com

In this post I’ll explain how to manually configure DNSSEC for a domain in Route 53. I didn’t do everything recommended in the prior post because I don’t have a lot of time to get this done I started with a few test domains.

2. Head over to Route 53.

3. Find the hosted zone for which you want to enable DNSSEC.

4. Change the NS TTL to 3600.

5. Change the SOA TTL to 300.

6. Click on the DNSSEC tab.

7. Click Enable DNSSec signing.

8. Enter a key name, choose the option to create a key, enter an alias.

9. Click Create KSK and enable signing.

The process will take a minute. Then you’ll see something like this.

10. Click View information to create a DS record.

The AWS documentation recommends waiting at least the length of time of the TTL value at this point.

If you registered your domain on AWS

1. choose expand the first arrow.

2. It will provide values for Key type, Signing algorithm, and Public key.

3. Make a note of those values so you can use them in the next steps.

4. In the AWS Console for Route 53 click on Registered domains (in the account where you registered the domains).

5. Click on the domain in the list and then Manage DNSSEC keys.

6. Enter the values into the box and click Add.

Note that after you do this no key appears here, nor is there any message to tell you that one has been added and is pending. (Bug?)

If you try to add the key again it will tell you that there is pending add.

7. Wait for the changes to propagate. In other words, wait for the amount of time to which you set the TTL and wait for the key to show up above also. I’m not sure if those two things correlate.

8. Test out any web sites and email addresses and monitor for any issues. AWS mentions some potential issues as I mentioned in the last post.

9. After your changes are successful for a couple of weeks you may want to increase the TTL again for your domains.

Why? TTL is how long your domains are valid. You pay for queries on AWS:

Amazon Route 53 pricing - Amazon Web Services

With Amazon Route 53, you don't have to pay any upfront fees or commit to the number of queries the service answers for…

aws.amazon.com

Increasing the TTL will reduce your cost (and is less load on AWS servers).

If you registered your domain somewhere else

If you registered your domain somewhere else, expand the second arrow.

There will be additional information present if you registered your domain with an alternate registrar. Follow the instructions provided by the external registrar to enter the information for your domain, the same way you did I did for a domain registered at AWS above. You will just need to figure out where to enter the information and provide any other information required by the external registrar.

Next we’ll take a look at some DNS records that can help protect your email.

SPF Records for Email

One DNS record to add for email security (more in other posts)