How to add DS record for domain registered with Route 53, but using Cloudflare NS servers?

Please see instructions here under

Adding public keys for a domain https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html

If you are getting 400 - that probably means you are creating DS record for your domain in your domain - not parent domain. For sub-domain, my understanding is DS should be created in its parent domain; and for root domain, DS should be created in its parent TLD. e.g. DS for example.com should go into .com TLD. and DS for subdomain.example.com should go into example.com

The documentation link below did not help me as I had a stale DS record by previous registrar. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html

In your case, the old console might be able to provide a way to create a DS record for cloudflare as required. If there is only one DS record, the issue should resolve for you. Do NOT remove other DS records if there are no other issues.

You can use troubleshooting tools to help navigate to solution. Please post here if you were able to resolve your DNSSEC issue.

AWS has a new Route53 console, and some options are missing than old one. If you "Switch to old console" on the bottom left until it is available; there is a link "Manage keys" under "DNSSEC status" for your registered domain - the documentation was not updated for the new console.

I was able to add a DS record for my domain there.

Troubleshooting tools I used: linux command line tool "dig": e.g. dig example.com DS @8.8.8.8 https://dnsviz.net https://dnssec-analyzer.verisignlabs.com