AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 149

An ecommerce company needs to implement additional security controls on all its domain names that are hosted in Amazon Route 53. The company's new policy requires data authentication and data integrity verification for all queries to the company’s domain names. The current Route 53 architecture has four public hosted zones.

A network engineer needs to implement DNS Security Extensions (DNSSEC) signing and validation on the hosted zones. The solution must include an alert capability.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Enable DNSSEC signing for Route 53 Request that Route 53 create a key-signing key (KSK) based on a customer managed key in AWS Key Management Service (AWS KMS).
• B. Enable DNSSEC signing for Route 53 Request that Route 53 create a zone-signing key (ZSK) based on a customer managed key in AWS Key Management Service (AWS KMS).
• C. Create a chain of trust for the hosted zones by adding a Delegation Signer (DS) record for each subdomain
• D. Create a chain of trust for the hosted zones by adding a Delegation Signer (DS) record to the parent zone.
• E. Set up an Amazon CloudWatch alarm that provides an alert whenever a DNSSECInternalFailure error or DNSSECKeySigningKeysNeedingAction error is detected.
• F. Set up an AWS CloudTrail alarm that provides an alert whenever a DNSSECInternalFailure error or DNSSECKeySigningKeysNeedingAction error is detected.

Correct answer: A, D, E

Explanation

The correct steps involve enabling DNSSEC signing for Route 53 with a key-signing key (KSK) and establishing a chain of trust through the parent zone by adding a Delegation Signer (DS) record. Setting up an Amazon CloudWatch alarm ensures that alerts are generated for specific DNSSEC errors. The other options either involve incorrect types of keys or incorrect methods for establishing trust.