What should the security engineer do to resolve this error?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain.The subdomain is already registered with Amazon Route 53.A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK).When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

Replace the KSK with a zone-signing key (ZSK).

Deactivate and then activate the KSK.

Create a Delegation Signer (DS) record in the parent hosted zone.

Create a Delegation Signer (DS) record in the subdomain.

Explanations:

Replacing the KSK with a ZSK is not a solution for a broken trust chain. A KSK is used for signing the DS record in the parent zone, not for signing the domain itself.

Deactivating and activating the KSK does not address the trust chain issue. The problem is more likely related to missing or incorrect DS records in the parent zone.

Creating a DS record in the parent hosted zone is necessary for establishing a secure trust chain between the parent zone and the subdomain. The DS record links the DNSSEC signatures to the parent zone.

Creating a DS record in the subdomain would not resolve the trust chain issue. The DS record needs to be placed in the parent zone to establish the correct trust relationship.

2025-10-05

1 Comment

  1. Logan
    Author

    I map out that the answer is:
    Create a Delegation Signer (DS) record in the parent hosted zone.

Leave a Reply

Your email address will not be published. Required fields are marked *

17 + twenty =