By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Screwed up Hosted Zone (DNSSEC?)

0

I have a Hosted Zone that I am unable to resolve to. I think I badly hosed dnssec setup but I don't know how to recover it. I delete the DNSSEC key from the domain record, and now I am trying to deactivate the KSK so that I can delete it and then disable DNSSEC. When I try to deactivate the KSK I get the followwing:

Bad request. (KeySigningKeyInParentDSRecord 400: Due to DNS lookup failure, we cannot determine if deactivating Key Signing Key with name:'KSKNAME' will break the authentication chain. Please retry later.)

Any thoughts on how to fix this?

  • MG
    5 months ago

    I think part of the problem is that I have a KSK that is also being used by anther Hosted Zone (that was a mistake as I was entering the KSK). Is there a way to BYPASS the validations and simply deactivate or delete this KSK?

  • omkar
    4 months ago

    AWS has a new Route53 console, and some options are missing than old one.

    If you "Switch to old console" on the bottom left until it is available; there is a link "Manage keys" under "DNSSEC status" for your registered domain - the documentation was not updated for the new console.

    I also added a DS record with KSK and other details as shown in "View information to create DS record". I was able to recover mine by removing DS records created by the previous registrar. That allowed the KSK record to be resolved, and everything fell into place.

    Troubleshooting tools I used: https://dnsviz.net https://dnssec-analyzer.verisignlabs.com

Topics
Networking & Content Delivery
Tags
Amazon Route 53Domain Name System (DNS)
Language
English
MG
asked 5 months ago66 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content