Announcing Amazon Route 53 support for DNSSEC

Posted on: Dec 17, 2020

Today, Amazon Web Services announced the launch of Domain Name System Security Extensions (DNSSEC) for Amazon Route 53. You can now enable DNSSEC signing for all existing and new public hosted zones, and enable DNSSEC validation for Amazon Route 53 Resolver. Amazon Route 53 DNSSEC provides data origin authentication and data integrity verification for DNS and can help customers meet compliance mandates, such as FedRAMP.

When you enable DNSSEC signing on a hosted zone, Route 53 cryptographically signs each record in that hosted zone. Route 53 manages the zone-signing key, and you can manage the key-signing key in AWS Key Management Service (AWS KMS). Amazon’s domain name registrar, Route 53 Domains, already supports DNSSEC, and customers can now register domains and host their DNS on Route 53 with DNSSEC signing enabled.

When you enable DNSSEC validation on the Route 53 Resolver in your VPC, it ensures that DNS responses have not been tampered with in transit. DNSSEC validation is available in all AWS regions where the Route 53 Resolver is available.

You can enable DNSSEC signing and DNSSEC validation using the Route 53 API or the Route 53 console. To learn more about Amazon Route 53 DNSSEC, see the documentation and Amazon Route 53 product page.