AWS Certified Security – Specialty (SCS-C02) — Question 307

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

Answer options

• A. Replace the KSK with a zone-signing key (ZSK).
• B. Deactivate and then activate the KSK.
• C. Create a Delegation Signer (DS) record in the parent hosted zone.
• D. Create a Delegation Signer (DS) record in the subdomain.

Correct answer: C

Explanation

To resolve a broken trust chain error in DNSSEC, a Delegation Signer (DS) record must be created in the parent hosted zone to establish the trust relationship with the child subdomain. Placing the DS record in the subdomain itself will not establish this link. Swapping keys or toggling the KSK state does not address the missing parent-child delegation record.