How do I get CloudFront to comply with my organization’s requirement to use DNSSEC?

3 minute read

I have an Amazon CloudFront distribution, and I need to comply with my organization’s regulatory mandate to use Domain Name System Security Extensions (DNSSEC).

Short description

By default, CloudFront domains don't allow DNSSEC. To activate DNSSEC for your domain, you must first create a DNSKEY record. However, because AWS manages the DNS records for CloudFront domains, you can't configure a DNSKEY record. This means that you can't directly activate DNSSEC for a CloudFront domain. Instead, you must activate it through an alternate domain.

If your organization requires the use of DNSSEC, then you can implement the following workaround to turn it on:

  1. Prevent access to the distribution from the CloudFront domain.
  2. Activate DNSSEC on an alternate domain name or CNAME that's attached to the CloudFront distribution.


Prevent access from CloudFront

First, prevent any requests that have the domain in the Host header. To do this, use any of the following methods:


Use an AWS WAF rule that blocks either of the following request types:

  • A Host header that ends with
  • All requests that have the domain of the distribution (such as inside the header. For more information, see Single header in the AWS documentation for web request component options.

Use a function

Use a CloudFront function to block any requests that have a value in the Host header that ends with You can use a standard CloudFront function or Lambda@Edge function. For most use cases, it's a best practice to use a CloudFront function because of lower cost and faster performance.

The following example CloudFront function blocks requests that have the CloudFront domain in the host header:

function handler(event) {
  var request = event.request;

    // Extract the host header value
    var host =;

    // Check if the host header value ends with ""
    if (host.endsWith('')) {
      // Return a response to block the request
      return {
        statusCode: 403,
        statusDescription: 'Forbidden',
        headers: {
          'content-type': {
            value: 'text/plain'
        body: 'Access to this resource is forbidden.'

    // Allow the request to proceed
    return request;

Activate DNSSEC on an alternate domain name

After you block access from the CloudFront domain, you can activate DNSSEC on an alternate domain name or CNAME. To do this, follow the steps in Activating DNSSEC signing and establishing a chain of trust.

Test your domain

To confirm that DNSSEC is working properly with your domain, use the DNSSEC analyzer from Verisign Labs.

AWS OFFICIALUpdated 8 months ago