DS record with DNS name ex.com not permitted in zone ex.com. Why?

0

When I attempt to create a DS record to establish a chain of trust https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-enable-signing.html?icmpid=docs_console_unmapped#dns-configuring-dnssec-chain-of-trust
I get an error that I can't understand. The DS key appears to be correct. I'm not sure why it won't let me create it.

My full error:

Error occurred
Bad request.
(InvalidChangeBatch 400: RRSet of type DS with DNS name example.com. is not permitted in zone example.com.)

Edited by: 333one on Mar 4, 2021 5:59 PM

Edited by: 333one on Mar 4, 2021 6:00 PM

Edited by: 333one on Mar 4, 2021 6:00 PM

Edited by: 333one on Mar 4, 2021 6:01 PM

asked 4 years ago1425 views
2 Answers
1

The DS record for example.com. goes in the com. zone. Your domain registrar will have somewhere to enter it.

If your domain registrar is Amazon, you'll have to use the domain management interface, not the DNS interface.

answered 4 years ago
0

Domain Management Interface for the win! In R53, whatever aws account the domain is registered. R53 -> Registered Domains -> Select domain -> DNSSEC keys -> Add key

For me, I registered the domain in my management account and manage my DNS in another account (another hosted zone in another account). I enabled DNSSEC where I manage DNS then added the key in the management account.

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions