Learn how to implement DNSSEC signing across multiple public domains on Route 53 for authentication and integrity, and setup CloudWatch alarms for alerts on any DNSSEC errors.
Table of Contents
Question
An ecommerce company needs to implement additional security controls on all its domain names that are hosted in Amazon Route 53. The company’s new policy requires data authentication and data integrity verification for all queries to the company’s domain names. The current Route 53 architecture has four public hosted zones.
A network engineer needs to implement DNS Security Extensions (DNSSEC) signing and validation on the hosted zones. The solution must include an alert capability.
Which combination of steps will meet these requirements? (Choose three.)
A. Enable DNSSEC signing for Route 53 Request that Route 53 create a key-signing key (KSK) based on a customer managed key in AWS Key Management Service (AWS KMS).
B. Enable DNSSEC signing for Route 53 Request that Route 53 create a zone-signing key (ZSK) based on a customer managed key in AWS Key Management Service (AWS KMS).
C. Create a chain of trust for the hosted zones by adding a Delegation Signer (DS) record for each subdomain
D. Create a chain of trust for the hosted zones by adding a Delegation Signer (DS) record to the parent zone.
E. Set up an Amazon CloudWatch alarm that provides an alert whenever a DNSSECInternalFailure error or DNSSECKeySigningKeysNeedingAction error is detected.
F. Set up an AWS CloudTrail alarm that provides an alert whenever a DNSSECInternalFailure error or DNSSECKeySigningKeysNeedingAction error is detected.
Answer
A. Enable DNSSEC signing for Route 53 Request that Route 53 create a key-signing key (KSK) based on a customer managed key in AWS Key Management Service (AWS KMS).
B. Enable DNSSEC signing for Route 53 Request that Route 53 create a zone-signing key (ZSK) based on a customer managed key in AWS Key Management Service (AWS KMS).
E. Set up an Amazon CloudWatch alarm that provides an alert whenever a DNSSECInternalFailure error or DNSSECKeySigningKeysNeedingAction error is detected.
Explanation
Enabling DNSSEC signing and requesting Route 53 to create KSK and ZSK keys based on a AWS KMS customer managed key meets the policy for data authentication and integrity verification.
Creating a chain of trust is not required as DNSSEC is already being enabled which handles the chain of trust.
Setting a CloudWatch alarm on DNSSEC errors meets the alert capability requirement, providing notifications on any issues. CloudTrail is not required as the alarms are based on DNS services metrics rather than API calls.
Together these three options fully satisfy all requirements around implementing and monitoring DNSSEC across the hosted zones.
AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.