Search code examples
dnsamazon-route53dnssecpowerdns

Amazon Route 53 DNSSEC support

We are trying to decide which DNS hosting solution to use. Today we use Power DNS and we want to move to a hosted DNS solution. The best solution for us would be using Amazon's Route 53 for this. We are mandated to use DNSSEC for our DNS solution and I have been trying to understand what Amazon's DNS supports and what it doesn't.

Amazon's site says:

Amazon Route 53 supports DNSSEC for domain registration but does not support DNSSEC for DNS service. If you want to configure DNSSEC for a domain that is registered with Amazon Route 53, you must use another DNS service provider.

http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html

Can anyone explain what this means? In particular what is supported and what isn't as well as what does using another DNS service provider for a domain that is registered with Route 53 mean.

Solution

  • Route 53 offers two¹ different services:

    • a DNS hosting provider, providing authoritative DNS hosting in hosted zones
    • a domain registrar, allowing you to register new domains for use on the Internet (or transfer the registration of existing domains so that your annual registration fees are consolidated into your AWS account bill)

    Those two services have no necessary connection to each other. You can register a domain with any accredited registrar (for example, let's say GoDaddy), and still host the DNS with Route 53... or you can register a domain with Route 53 and still host the DNS elsewhere (for example, let's say Dyn)... or you can use Route 53 for both services, since they are independent.

    Amazon Route 53 supports DNSSEC for domain registration

    So, if you register a domain with the Route 53 Registrar, it can be configured to use DNSSEC...

    but does not support DNSSEC for DNS service.

    ...but not if you use Route 53 hosted zones for authoritative DNS hosting, which does not support DNSSEC, regardless of who the registrar is.

    Therefore...

    If you want to configure DNSSEC for a domain that is registered with Amazon Route 53, you must use another DNS service provider

    ...to host your authoritative DNS records. You can't use a Route 53 hosted zone with DNSSEC.

    ¹ two different services that are relevant here. The emphasis is intended to be on different, because many other service providers blur the distinction between domain registration and authoritative DNS hosting to the point that many users seem unaware that they can almost always be decoupled, in at least one direction, regardless of the providers in question. Also under the "Route 53" banner are other services like Route 53 Resolver (which deals primarily with recursive querying in VPC and/or on-premise) and Route 53 Health Checks (which can be used as a basis for DNS failover as well as for other health-checking and latency-measuring purposes that can be but aren't necessarily even DNS related).