By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Disable Hosted ZOne with DNSSEC

0

I registered the domain 'learncheap.net' through Lightsail. I wan to diable DNSSEC so that I can remove this hosted zone and domain from my account as I no longer need them. I can't find the DS records anyware though DIG still reports them. I still get the error "(KeySigningKeyInParentDSRecord 400: Disabling DNSSEC in hosted zone 'learncheap.net.' will break the authentication chain. Please remove DS records in the parent zone first."

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> +dnssec learncheap.net DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49262
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;learncheap.net.                        IN      DS

;; AUTHORITY SECTION:
net.                    331     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1690610910 1800 900 604800 86400
net.                    331     IN      RRSIG   SOA 8 1 900 20230805060830 20230729045830 39455 net. fG4p2Q4ki7YblIAbcum8dnSs7aUOTQK1O2OQK7Q6ZW8FkNwPQr0GysTv t+t5UTwsAtH8D5Q+w7pSeiErH9xapfKvio8WSoPWu2N0RzwNaLEGRlsR QnL4rhrKVz2Drm4s067WU6BsPSKEbCn+f+OS1a/lwmUbqcn9VpPPHqKP Tbz4+tUY1ZC3iIAk84kcYtc7BoKD0q4w7GGjG7fim1141A==
a1rt98bs5qgc9nfi51s9hci47uljg6jh.net. 85831 IN NSEC3 1 1 0 - A1RTLNPGULOGN7B9A62SHJE1U3TTP8DR NS SOA RRSIG DNSKEY NSEC3PARAM
a1rt98bs5qgc9nfi51s9hci47uljg6jh.net. 85831 IN RRSIG NSEC3 8 2 86400 20230802064211 20230726053211 39455 net. pAPPtx65plnOkHoxekPDB2leHNYPrVGbGpokrYFssDR6J+EEv3eV4Scx wWKh4vDh64ctycZwxSTBWg38y4zKaaAS5PuXnm+OfV1h7BHi8yQDx+sE ma3ZyK/fReRxu20hnSAONqzQMckZC+6h440PUsdJG/rcIMapppbMCJcu 7lEJ75lrLXIFNwYkW+o4aERr5ChmkQccSyUcwpq6/KN9xg==
i796jgjsplqt74pr5der1ttv6sn0376m.net. 85831 IN NSEC3 1 1 0 - I798MSCRIGOTULQ1PRELSD5NFKCBDA6L NS DS RRSIG
i796jgjsplqt74pr5der1ttv6sn0376m.net. 85831 IN RRSIG NSEC3 8 2 86400 20230805055540 20230729044540 39455 net. B6SWC3cG8dzJx3Zf69SuXkurwhdZsnknfKdgcq1mGeS2w4FfNLOlv49s kMaS3YgQd4pJEQmzXYgdBRNjZLlRYoyAlPmoJsA4cnH1Xaaa6wDFK/Tp ZTDyTqoevNxKYFWG/2CyrM86EEaU8WSc+Aooy/RQIRwsBzxMq22vLH2e BZ6zwbsBPvqEQ+zyv5L7UGaLlSFTTzK6s/jClpD81d9PsA==

;; Query time: 40 msec
;; SERVER: 172.22.176.1#53(172.22.176.1) (UDP)
;; WHEN: Sat Jul 29 09:18:16 IDT 2023
;; MSG SIZE  rcvd: 860
Topics
ComputeNetworking & Content Delivery
Tags
Amazon LightsailAmazon Route 53Route 53 Registrar
Language
English
yoel
asked 9 months ago287 views
1 Answer
0

I checked that domain on this site and it says DS record not found.
Are you creating a host zone with Route53 or something else instead of a Lightsail host zone?
In the case of Route53, it should be possible to register a DS record, so is there any possibility that it might be left there?
https://dnssec-analyzer.verisignlabs.com/learncheap.net

profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
  • yoel
    9 months ago

    I got an email from AWS saying they got a request to remove dnssec from my account. After seeing that email I was able to remove the KSK and disable DNSSEC.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content