AWS Certified Security – Specialty — Question 343

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

Answer options

• A. Replace the KSK with a zone-signing key (ZSK).
• B. Deactivate and then activate the KSK.
• C. Create a Delegation Signer (DS) record in the parent hosted zone.
• D. Create a Delegation Signer (DS) record in the subdomain.

Correct answer: C

Explanation

To resolve a broken trust chain in DNSSEC for a subdomain, a Delegation Signer (DS) record must be created in the parent hosted zone to establish the cryptographic link to the child zone's KSK. Placing the DS record in the subdomain itself (Option D) does not establish this parent-child relationship. Toggling the KSK status (Option B) or replacing it with a ZSK (Option A) will not address the missing delegation linkage.