Last September we have configured DNSSEC for 80+ domains and their zones. However, one domain at that time (tld: EU) failed when the button "Create KSK and enable signing" on "Enable DNSSEC signing" in the "DNSSEC signing" tab of the (public) hosted zone:
HostedZonePartiallyDelegated 400: Due to DNS lookup failure, we cannot determine if hosted zone with ID 'Z332UHAFXBEJDU' has NS records partially connected with its parent zone.
The zone and domain are both on Route53.
Today, I have tried again to enable DNSSEC, but still with the same error.
Domain
The associated domain has a DNSSEC-key activated (completed process). Also, the details say: DNSSEC status Configured
Zone
The KSK is visible under DNSSEC signing as "acme_eu", status Active, creation date September 11, 2023.
Alternative actions
I have tried to inactivate and delete the KSK. Then added a new one and made it Active. Still same error.
Since almost all Route53 registrations are structured identical to this one, I have compared several of them. Settings are all identical. There are three other EU TLD-domains. Configuration of these was also successful.
Did anyone else run into the same problem? If so, what was a viable approach to enable DNSSEC?
AWS OFFICIALUpdated 2 years ago
