I have a Hosted Zone that I am unable to resolve to. I think I badly hosed dnssec setup but I don't know how to recover it. I delete the DNSSEC key from the domain record, and now I am trying to deactivate the KSK so that I can delete it and then disable DNSSEC. When I try to deactivate the KSK I get the followwing:
Bad request.
(KeySigningKeyInParentDSRecord 400: Due to DNS lookup failure, we cannot determine if deactivating Key Signing Key with name:'KSKNAME' will break the authentication chain. Please retry later.)
Any thoughts on how to fix this?
AWS 官方已更新 1 年前
I think part of the problem is that I have a KSK that is also being used by anther Hosted Zone (that was a mistake as I was entering the KSK). Is there a way to BYPASS the validations and simply deactivate or delete this KSK?
AWS has a new Route53 console, and some options are missing than old one.
If you "Switch to old console" on the bottom left until it is available; there is a link "Manage keys" under "DNSSEC status" for your registered domain - the documentation was not updated for the new console.
I also added a DS record with KSK and other details as shown in "View information to create DS record". I was able to recover mine by removing DS records created by the previous registrar. That allowed the KSK record to be resolved, and everything fell into place.
Troubleshooting tools I used: https://dnsviz.net https://dnssec-analyzer.verisignlabs.com