I have an Amazon CloudFront distribution, and I need to comply with my organization’s regulatory mandate to use Domain Name System Security Extensions (DNSSEC).
Short description
By default, CloudFront domains don't allow DNSSEC. To activate DNSSEC for your domain, you must first create a DNSKEY record. However, because AWS manages the DNS records for CloudFront domains, you can't configure a DNSKEY record. This means that you can't directly activate DNSSEC for a CloudFront domain. Instead, you must activate it through an alternate domain.
If your organization requires the use of DNSSEC, then you can implement the following workaround to turn it on:
- Prevent access to the distribution from the CloudFront domain.
- Activate DNSSEC on an alternate domain name or CNAME that's attached to the CloudFront distribution.
Resolution
Prevent access from CloudFront
First, prevent any requests that have the cloudfront.net domain in the Host header. To do this, use any of the following methods:
Use AWS WAF
Use an AWS WAF rule that blocks either of the following request types:
- A Host header that ends with cloudfront.net
- All requests that have the domain of the distribution (such as d123abc.cloudfront.net) inside the header. For more information, see Single header in the AWS documentation for web request component options.
Use a function
Use a CloudFront function to block any requests that have a value in the Host header that ends with cloudfront.net. You can use a standard CloudFront function or Lambda@Edge function. For most use cases, it's a best practice to use a CloudFront function because of lower cost and faster performance.
The following example CloudFront function blocks requests that have the CloudFront domain in the host header:
function handler(event) {
var request = event.request;
// Extract the host header value
var host = request.headers.host.value;
// Check if the host header value ends with "cloudfront.net"
if (host.endsWith('cloudfront.net')) {
// Return a response to block the request
return {
statusCode: 403,
statusDescription: 'Forbidden',
headers: {
'content-type': {
value: 'text/plain'
}
},
body: 'Access to this resource is forbidden.'
};
}
// Allow the request to proceed
return request;
}
Activate DNSSEC on an alternate domain name
After you block access from the CloudFront domain, you can activate DNSSEC on an alternate domain name or CNAME. To do this, follow the steps in Activating DNSSEC signing and establishing a chain of trust.
Test your domain
To confirm that DNSSEC is working properly with your domain, use the DNSSEC analyzer from Verisign Labs.