Ensure that Domain Name System Security Extensions (DNSSEC) signing is enabled for your Amazon Route 53 public hosted zones in order to protect your domains against spoofing and cache poisoning attacks. By default, DNSSEC signing is not enabled for Route 53 hosted zones.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Domain Name System Security Extensions (DNSSEC) represents a set of protocols that adds a layer of security to the Domain Name System (DNS) lookup and exchange processes by enabling DNS responses to be validated. Having a trustworthy Domain Name System (DNS) that translates a domain name into its associated IP address is extremely important for web security nowadays. Attackers can hijack the process of domain/IP lookup and redirect users to malicious web content through DNS hijacking and Man-In-The-Middle (MITM) attacks. DNSSEC security feature helps mitigate the risk of such attacks by encrypting signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect web clients to fake, fraudulent, or scam websites. When you enable DNSSEC signing on a public hosted zone, Route 53 cryptographically signs each DNS record in that hosted zone. Amazon Route 53 manages the Zone Signing Key (ZSK), and you can manage the Key Signing Key (KSK) in AWS Key Management Service (KMS).
Audit
To determine if DNSSEC signing is enabled for your Amazon Route 53 public hosted zones, perform the following operations:
Remediation / Resolution
To enable Domain Name System Security Extensions (DNSSEC) signing for your Amazon Route 53 public hosted zones, perform the following operations:
References
- AWS Documentation
- Amazon Route 53 FAQs
- Configuring DNSSEC signing in Amazon Route 53
- Enabling DNSSEC signing and establishing a chain of trust
- Working with customer managed CMKs for DNSSEC
- AWS Command Line Interface (CLI) Documentation
- list-hosted-zones
- get-dnssec
- create-key-signing-key
- enable-hosted-zone-dnssec
- AWS Announcements
- Announcing Amazon Route 53 support for DNSSEC