Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Forcefully disable DNSSEC for Route53 Domain

0

I've recently disabled and expired one of my domains (.net TLD) which was not registered through AWS but was using Route53 as the DNS service. The domain had DNSSEC enabled and expired a few days ago. Since the domain is now no longer active, I've wanted to remove it from Route53 as well. As I was about to delete the Zone from Route53, I've received a warning that I have to disable DNSSEC signing before I am able to remove the Zone from my account. After initiating the disablement of DNSSEC signing, I then get the following error:

(KeySigningKeyInParentDSRecord 400: Disabling DNSSEC in hosted zone '********.net.' will break the authentication chain. Please remove DS records in the parent zone first.)

Since the domain is expired, those records cannot be resolved anymore. I've tried via multiple resolvers as well as directly querying the .net Nameservers. No Nameserver is reporting any DS records for the domain in question, yet AWS insists that the DS records need to be removed beforehand.

I am no longer in possession of said domain and there are no NS records anymore for it. How should I proceed in this case? I was hoping that there was some sort of override mechanism but I am not able to find it.

Topics
Networking & Content Delivery
Tags
Amazon Route 53Domain Name System (DNS)
Language
English
asked 9 months ago231 views
1 Answer
0

To resolve your issue with disabling DNSSEC for an expired domain in Route 53, you're encountering a safety mechanism that Route 53 implements when disabling DNSSEC.

When you try to disable DNSSEC, Route 53 checks whether the zone is in the chain of trust by verifying if the parent zone has any NS records and DS records for your domain. Since your domain has expired and is no longer publicly resolvable (likely returning SERVFAIL responses when querying for NS and DS records), Route 53 cannot determine whether it's safe to disable DNSSEC.

Unfortunately, there isn't a documented override mechanism for this situation. Since you can no longer modify the DS records at the registrar level (as the domain has expired), you have limited options:

  1. Wait for some time after the domain expiration - the parent zone (.net TLD) may eventually remove all records related to your expired domain, including the DS records.

  2. Contact AWS Support - they may be able to assist with forcefully disabling DNSSEC in this specific scenario where the domain has expired and you no longer have control over the parent zone records.

  3. If you're planning to delete the hosted zone entirely, you might need to delete all records except the NS and SOA records first, then work with AWS Support to help you disable DNSSEC and complete the deletion.

This situation occurs because Route 53 is designed to prevent breaking the DNSSEC chain of trust, which could cause DNS resolution failures. However, since your domain has already expired, you're in a special case that the standard process doesn't handle well.
Sources
Troubleshooting DNSSEC signing - Amazon Route 53
Deleting a public hosted zone - Amazon Route 53
Disabling DNSSEC signing - Amazon Route 53

answered 9 months ago
EXPERT
reviewed 9 months ago
  • Kevin
    9 months ago

    Hi Gary

    Thanks for your recommendations. I've already removed all required records and verified that no records for the domain are published. Even AWS' built-in DNS tester correctly returns NXDOMAIN for the Query, yet the AWS Console somehow maybe caches the response and denies deletion of the domain.

    Also it seems that I'm not able to reach technical support with my account as I'm not subscribed to any support level.

    I will wait for a few more days and see if the cache will potentially expire. The TTL for the DS record was set at two days.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content