Unable to delete hosted zones - DNSSEC signing disabled, CMK deleted
Hi all,
I have tried the following steps to delete the hosted zone, but I was still getting “HostedZoneNotEmpty 400: The specific hosted zone contains DNSSEC key signing keys and so cannot be deleted”.
- Disabled DNSSEC signing in Route 53.
- Deleted the CMK in the key management service after waited 7 days.
**Please could anyone advise what to do next? **
The CMK has disappeared from key management service, but it is still showing as Active under DNSSEC signing. But when click on view details for the key, I had Error occurred under “customer managed CMK details”.
- Newest
- Most votes
- Most comments
Delete a key-signing key (KSK)
Before you can delete a KSK, you must edit the KSK to set its status to Inactive.
One reason that you might delete a KSK is as part of routine key rotation. It's a best practice to rotate cryptographic keys periodically. Your organization might have standard guidance for how often to rotate keys.
Follow these steps to delete a KSK in the AWS Management Console.
To delete a KSK
- Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.
- In the navigation pane, choose Hosted zones, and then choose a hosted zone.
- On the DNSSEC signing tab, under Key-signing keys (KSKs), choose Switch to advanced view, and then under Actions, choose Delete KSK
- Follow the guidance to confirm deleting the KSK.
Relevant content
- asked 3 years ago
- asked 3 years ago
- asked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 3 years ago
