- 最新
- 投票最多
- 评论最多
I find my error on AWS S53 "Domains" "Registered domains" DNSSEC.
To address my error, I update the DNSSEC and insert the hosted zone DNSSEC Key-signing keys (KSKs) public key into the "Domains" "Registered domains" DNSSEC.
I see that you have DNSSEC enabled on your domain. If you use DNSSEC with a domain and you transfer the domain registration to Route 53, you must disable DNSSEC at the former registrar first. Then, after you transfer the domain registration, take steps to set up DNSSEC for the domain in Route 53.
[+] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-to-route-53.html
If you transfer a domain registration to Route 53 while DNSSEC is configured, the DNSSEC public keys are transferred, too and as a result the chain of trust is broken. You can confirm the DNSSEC issue on these platforms: [+] https://dnsviz.net/ [+] https://dnssec-analyzer.verisignlabs.com/
To resolve this issue, disable DNSSEC on the domain registrar level (which will remove the DS record from the parent) and then enable it again along with the Route 53 hosted zone.
To disable DNSSEC on the domain, you need to delete the DNSSEC keys from the domain. For instructions on how to delete public keys for a Route 53 domain please go through this document -
Once you disable the DNSSEC, you can unable it again following this article (Make sure DNSSEC signing is enabled on the hosted zone as well) -