Registrar guide
DNSSEC in Route 53
Route 53 can sign your zone. After signing, you’ll add DS records at your registrar (or parent DNS) so resolvers can validate chains.
Heads up
DNSSEC is easy to misconfigure — wrong DS at the parent means validation failures. Change during a maintenance window.
Hosted zone → DNSSEC signing → ON
Registrar → add DS records (algorithm, digest type, digest from AWS)
See also:
DNS guides
Step by step
Step 1 Route 53 → Hosted zones → select your zone.
Step 2 Enable DNSSEC signing for the zone (follow AWS console prompts).
Step 3 Copy the DS / DNSKEY details AWS provides for your registrar.
Step 4 At your registrar (where the domain is registered), add the DS records they require.
Step 5 Use external validators or dig + trusted tools to confirm the chain — mistakes break resolution.
FAQ
Does Route 53 host my registration?
Not always — you often register elsewhere. DS goes where the domain is registered.
Can I test before going live?
Use staging subdomains or lower TTL before cutover — DNSSEC errors are user-visible.
Does DNSSEC fix email auth?
No — it validates DNS integrity. SPF/DKIM/DMARC are separate.
What if email breaks after DS change?
Rollback DS at registrar or disable signing — diagnose with DNSSEC validators.
Where is signing managed?
In the Route 53 hosted zone for authoritative DNS hosted at AWS.