Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable DNSSEC Signing for Route 53 Hosted Zones

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Route53-012

Ensure that Domain Name System Security Extensions (DNSSEC) signing is enabled for your Amazon Route 53 public hosted zones in order to protect your domains against spoofing and cache poisoning attacks. By default, DNSSEC signing is not enabled for Route 53 hosted zones.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Domain Name System Security Extensions (DNSSEC) represents a set of protocols that adds a layer of security to the Domain Name System (DNS) lookup and exchange processes by enabling DNS responses to be validated. Having a trustworthy Domain Name System (DNS) that translates a domain name into its associated IP address is extremely important for web security nowadays. Attackers can hijack the process of domain/IP lookup and redirect users to malicious web content through DNS hijacking and Man-In-The-Middle (MITM) attacks. DNSSEC security feature helps mitigate the risk of such attacks by encrypting signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect web clients to fake, fraudulent, or scam websites. When you enable DNSSEC signing on a public hosted zone, Route 53 cryptographically signs each DNS record in that hosted zone. Amazon Route 53 manages the Zone Signing Key (ZSK), and you can manage the Key Signing Key (KSK) in AWS Key Management Service (KMS).


Audit

To determine if DNSSEC signing is enabled for your Amazon Route 53 public hosted zones, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Click on the domain name of the public hosted zone that you want to examine. A public Route 53 hosted zone has the Type set to Public.

05 Select the DNSSEC signing tab and check the DNSSEC signing status available within the DNSSEC signing section. If the DNSSEC signing status is set to Not signing, the Domain Name System Security Extensions (DNSSEC) signing is not enabled for the selected Amazon Route 53 hosted zone.

06 Repeat steps no. 4 and 5 for each public hosted zone created with Amazon Route 53 service.

Using AWS CLI

01 Run list-hosted-zones command (OSX/Linux/UNIX) to list the IDs of all the DNS hosted zones created within your AWS cloud account:

aws route53 list-hosted-zones

02 The command output should return an array with all the Amazon Route 53 hosted zones (public or private) created in your AWS account (the metadata includes the hosted zone ID – highlighted). A public DNS hosted zone has the "Config.PrivateZone" configuration attribute set to false, e.g.:

{
	"HostedZones": [
		{
			"ResourceRecordSetCount": 6,
			"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
			"Config": {
				"Comment": "",
				"PrivateZone": false
			},
			"Id": "/hostedzone/ABCDABCDABCDABCDABCD",
			"Name": "cloudconformity.com."
		}
	]
}

03 Run get-dnssec command (OSX/Linux/UNIX) using the ID of the public Route 53 hosted zone that you want to examine as identifier parameter and custom query filters to describe the DNSSEC signing status available for the selected hosted zone:

aws route53 get-dnssec
  --hosted-zone-id "/hostedzone/ABCDABCDABCDABCDABCD"
  --query "Status.ServeSignature"

04 The command output should return the DNSSEC signing status:

"NOT_SIGNING"

If get-dnssec command output returns "NOT_SIGNING", as shown in the example above, the Domain Name System Security Extensions (DNSSEC) signing is not enabled for the selected Amazon Route 53 hosted zone. If the command output returns "INTERNAL_FAILURE", see "StatusMessage" for information about steps that you can take to correct the problem.

05 Repeat step no. 3 and 4 for each public hosted zone created with Amazon Route 53 within your AWS cloud account.

Remediation / Resolution

To enable Domain Name System Security Extensions (DNSSEC) signing for your Amazon Route 53 public hosted zones, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"KMSKEY": {
			"Type": "AWS::KMS::Key",
			"Properties": {
				"Enabled": true,
				"KeyUsage": "SIGN_VERIFY",
				"KeySpec": "ECC_NIST_P256",
				"KeyPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": "dnssec-route53.amazonaws.com"
							},
							"Action": [
								"kms:DescribeKey",
								"kms:GetPublicKey",
								"kms:Sign",
								"kms:Verify"
							],
							"Resource": "*"
						},
						{
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/route53-manager"
							},
							"Action": "kms:*",
							"Resource": "*"
						}
					]
				}
			}
		},
		"Route53HostedZone": {
			"Type": "AWS: : Route53: : HostedZone",
			"Properties": {
				"HostedZoneConfig": {
					"Comment": "Route53 public hosted zone for domain.com"
				},
				"Name": "domain.com",
				"HostedZoneTags": [
					{
						"Key": "Owner",
						"Value": "IT"
					}
				]
			}
		},
		"Route53KeySigningKey": {
			"Type": "AWS::Route53::KeySigningKey",
			"Properties": {
				"Name": "cc-route53-ksk",
				"Status": "ACTIVE",
				"HostedZoneId": {
					"Ref": "Route53HostedZone"
				},
				"KeyManagementServiceArn": {
					"Ref": "KMSKEY"
				}
			}
		},
		"Route53DNSSEC": {
			"Type": "AWS::Route53::DNSSEC",
			"Properties": {
				"HostedZoneId": {
					"Ref": "Route53HostedZone"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	KMSKEY:
		Type: AWS::KMS::Key
		Properties:
		Enabled: true
		KeyUsage: SIGN_VERIFY
		KeySpec: ECC_NIST_P256
		KeyPolicy:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service: dnssec-route53.amazonaws.com
				Action:
				- kms:DescribeKey
				- kms:GetPublicKey
				- kms:Sign
				- kms:Verify
				Resource: '*'
			- Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:user/route53-manager
				Action: kms:*
				Resource: '*'
	Route53HostedZone:
		Type: 'AWS: : Route53: : HostedZone'
		Properties:
		HostedZoneConfig:
			Comment: Route53 public hosted zone for domain.com
		Name: domain.com
		HostedZoneTags:
			- Key: Owner
			Value: IT
	Route53KeySigningKey:
		Type: AWS::Route53::KeySigningKey
		Properties:
		Name: cc-route53-ksk
		Status: ACTIVE
		HostedZoneId: !Ref 'Route53HostedZone'
		KeyManagementServiceArn: !Ref 'KMSKEY'
	Route53DNSSEC:
		Type: AWS::Route53::DNSSEC
		Properties:
		HostedZoneId: !Ref 'Route53HostedZone'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_kms_key" "kms-key" {
	is_enabled               = true
	key_usage                = "SIGN_VERIFY"
	customer_master_key_spec = "ECC_NIST_P256"
	policy                   = jsonencode({
	Version = "2012-10-17",
	Statement = [
		{
			Action = [
				"kms:DescribeKey",
				"kms:GetPublicKey",
				"kms:Sign",
				"kms:Verify",
			],
			Effect = "Allow"
			Principal = {
				Service = "dnssec-route53.amazonaws.com"
			}
			Resource = "*"
		},
		{
			Effect = "Allow"
			Principal = {
				AWS = "arn:aws:iam::123456789012:user/route53-manager"
			}
			Action = "kms:*"
			Resource = "*"
		}
	]
	})
}

resource "aws_route53_zone" "route53-hosted-zone" {
	name    = "domain.com"
	comment = "Route53 public hosted zone for domain.com"
	tags    = {
		Owner = "IT"
	}
}

resource "aws_route53_key_signing_key" "route53-key-signing-key" {
	name                       = "cc-route53-ksk"
	hosted_zone_id             = aws_route53_zone.route53-hosted-zone.id
	key_management_service_arn = aws_kms_key.kms-key.arn
}

resource "aws_route53_hosted_zone_dnssec" "route53-hosted-zone-dnssec" {
	signing_status = SIGNING
	depends_on = [
		aws_route53_key_signing_key.route53-key-signing-key
	]
	hosted_zone_id = aws_route53_key_signing_key.route53-key-signing-key.hosted_zone_id
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Click on the domain name of the public hosted zone that you want to reconfigure. A public Route 53 hosted zone has the Type set to Public.

05 Select the DNSSEC signing tab and choose Enable DNSSEC signing.

06 On the Enable DNSSEC signing setup page, perform the following actions. On this page, Amazon Route 53 will create the Key Signing Key (KSK) for your hosted zone, based on a customer-managed Customer Master Key (CMK) that you choose:

  1. For Provide KSK name, enter an alphanumeric name for the KSK that Amazon Route 53 will create for you.
  2. Under Customer managed CMK in AWS KMS, choose the customer-managed CMK for Amazon Route 53 to use when it creates the KSK for you. When you provide or create a customer-managed CMK, you must follow these requirements:
    • Select Choose customer managed CMK to use an existing customer-managed CMK that applies to DNSSEC signing.
    • Select Create customer managed CMK to create a new customer-managed CMK for DNSSEC signing. Provide an alias for the new key in the Create customer managed CMK box.
  3. Choose Create KSK and enable signing to enable DNSSEC signing for the selected hosted zone.

07 After you enabled DNSSEC signing, establish a chain of trust for the selected Route 53 hosted zone in order to complete your DNSSEC signing setup. You can do this by creating a Delegation Signer (DS) record in the parent hosted zone, for your hosted zone, using the information that Amazon Route 53 provides. Depending on where your domain is registered, you add the DNS record to the parent hosted zone in Route 53 or at another domain registrar. To get started, choose View information to create DS record within the DNSSEC signing configuration section.

08 Inside the Establish a chain of trust section, choose either Route 53 registrar or Another domain registrar, depending on where your domain is registered. Use the provided information to create a DS record for the parent hosted zone within Route 53 or, if your domain is not hosted with Amazon Route 53, at your domain registrar. If your domain is hosted with Amazon Route 53, perform the following actions:

  1. In the left navigation panel, under Domains, select Registered domains.
  2. Choose the name of the domain that you want to add keys for.
  3. For the DNSSEC status field, choose Manage keys and specify the Key type, the Algorithm, and the Public key provided by Amazon Route 53 within the Establish a chain of trust section.
  4. Choose Add to add the public key. When Amazon Route 53 receives a response from the registry, the cloud service sends an email to the registrant contact for the domain. The email either confirms that the public key has been added to the domain at the registry or explains why the key couldn't be added at this point.

09 Wait for the Route 53 updates to propagate, based on the TTL for your domain records.

10 Repeat steps no. 4 – 9 to enable and configure DNSSEC signing for other public hosted zones created within your AWS cloud account.

Using AWS CLI

01 Run create-key-signing-key command (OSX/Linux/UNIX) to create a new Key Signing Key (KSK) and associate it with the Amazon Route 53 public hosted zone that you want to reconfigure. The required customer-managed CMK provided as value for the --key-management-service-arn must follow these requirements:

aws route53 create-key-signing-key
  --region us-east-1
  --hosted-zone-id "/hostedzone/ABCDABCDABCDABCDABCD"
  --name cc-ksk-key
  --status ACTIVE
  --key-management-service-arn "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
  --caller-reference "2021-01-11-10:00"

02 The command output should return the metadata available for the newly created KSK:

{
	"Location": "https://route53.amazonaws.com/2013-04-01/keysigningkey/ABCDABCDABCDABCDABCD/cc-ksk-key",
	"ChangeInfo": {
		"Id": "/change/ABCD1234ABCD1234ABCD",
		"Status": "PENDING",
		"SubmittedAt": "2021-01-11T10:00:00.755000+00:00"
	},
	"KeySigningKey": {
		"Name": "cc-ksk-key",
		"KmsArn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
		"Flag": 257,
		"SigningAlgorithmMnemonic": "ECDSAP256SHA256",
		"SigningAlgorithmType": 13,
		"DigestAlgorithmMnemonic": "SHA-256",
		"DigestAlgorithmType": 2,
		"KeyTag": 36546,
		"DigestValue": " ... ",
		"PublicKey": " ... ",
		"DSRecord": " ... ",
		"DNSKEYRecord": " ... ",
		"Status": "ACTIVE",
		"CreatedDate": "2021-01-11T10:00:00.755000+00:00",
		"LastModifiedDate": "2021-01-11T10:00:00.755000+00:00"
	}
}

03 Run enable-hosted-zone-dnssec command (OSX/Linux/UNIX) using the ID of the Amazon Route 53 hosted zone that you want to reconfigure as identifier parameter, to enable DNSSEC signing for the selected public hosted zone:

aws route53 enable-hosted-zone-dnssec
  --region us-east-1
  --hosted-zone-id "/hostedzone/ABCDABCDABCDABCDABCD"

04 The output should return the enable-hosted-zone-dnssec command request metadata:

{
	"ChangeInfo": {
		"Id": "/change/1234ABCD1234ABCD1234",
		"Status": "PENDING",
		"SubmittedAt": "2021-01-11T11:00:00.744000+00:00"
	}
}

05 After you enabled DNSSEC signing, establish a chain of trust for the selected Route 53 hosted zone in order to complete your DNSSEC signing setup. You can do this by creating a Delegation Signer (DS) record in the parent hosted zone, for your hosted zone, within Amazon Route 53 console, using the information that Amazon Route 53 provides. Depending on where your domain is registered, you add the DNS record to the parent hosted zone in Route 53 or at another domain registrar. When that DNS update is complete, resolvers will be able to validate DNS responses from Amazon Route 53.

06 Repeat steps no. 1 – 5 to enable and configure DNSSEC signing for other public hosted zones available in your AWS cloud account.

References

Publication date Jan 14, 2021