DNSSEC, Cloudflare and Route 53

Domain is registered with Route 53
DNS is being provided by Cloudflare (name servers in Route 53 point to CloudFlare)

  1. Enable DNS SEC on Cloudflare (this might take 10 minutes to an hour). Been 48 hours and still says in Setup mode. I thought the DS would be added to the “Registrar?” which I thought to be CF since it’s hosting the domain.

  2. Route 53 has the option to add DNS SEC Keys but always fails. Maybe because it doesn’t see the DS at Cloudflare? Not sure.

  3. Adding the DS record in CF does not seem to help.

Checking with the various DNSSEC services yields the same results.

There is no DS record found for the domain.

Maybe this setup just isn’t supported. Seems like Route53 for as big as it is, doesn’t think DNS SEC is really all that useful as they don’t even bother to support it natively.

Am I incorrect in assuming that CF is going to add this DS record for me because the domain is technically registered at Route 53? Even though name service is being pointed to CF and the website is using the CF name servers?

From all accounts, it does appear I am using the domain name service provided by CF which should work.

What’s your domain?

The DS record has to be set at your registrar, just like how you had to set the nameservers.

Route 53’s registrar service supports setting DS records.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html

There’s work on automating DS record setup, but there isn’t much deployed yet.

Edit:

By the way, if you want the domain to work 100% today, you should wait at least 24 hours after enabling DNSSEC on Cloudflare before setting the DS record – long enough for the unsigned records to have expired from resolvers’ caches.

It might very well be that it’s not a Hosted Zone in Route 53 … so editing records isn’t an option until you created the hosted zone. Then you add and update records.

Might be I need to make this registered domain a hosted zone in Route 53 and go from there.

It would be on the only way to setup a DS record at the actual register of that domain.

Thank you for this. I think you’re right and I need a hosted zone.

If you’re using Cloudflare as your DNS service, you don’t need a hosted zone on Route 53. It wouldn’t be used.

The Route 53 Registrar DS record settings are separate from the Route 53 DNS service.

1 Like