See: newCreateKeySigningKey smart constructor.

Create a value of CreateKeySigningKey with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

CreateKeySigningKey, createKeySigningKey_callerReference - A unique string that identifies the request.

CreateKeySigningKey, createKeySigningKey_hostedZoneId - The unique string (ID) used to identify a hosted zone.

$sel:keyManagementServiceArn:CreateKeySigningKey', createKeySigningKey_keyManagementServiceArn - The Amazon resource name (ARN) for a customer managed key in Key Management Service (KMS). The KeyManagementServiceArn must be unique for each key-signing key (KSK) in a single hosted zone. To see an example of KeyManagementServiceArn that grants the correct permissions for DNSSEC, scroll down to Example.

You must configure the customer managed customer managed key as follows:

Status

Enabled

Key spec

ECC_NIST_P256

Key usage

Sign and verify

Key policy

The key policy must give permission for the following actions:

• DescribeKey
• GetPublicKey
• Sign

The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:

• "Service": "dnssec-route53.amazonaws.com"

For more information about working with a customer managed key in KMS, see Key Management Service concepts.

CreateKeySigningKey, createKeySigningKey_name - A string used to identify a key-signing key (KSK). Name can include numbers, letters, and underscores (_). Name must be unique for each key-signing key in the same hosted zone.

CreateKeySigningKey, createKeySigningKey_status - A string specifying the initial status of the key-signing key (KSK). You can set the value to ACTIVE or INACTIVE.

A unique string that identifies the request.

The unique string (ID) used to identify a hosted zone.

The Amazon resource name (ARN) for a customer managed key in Key Management Service (KMS). The KeyManagementServiceArn must be unique for each key-signing key (KSK) in a single hosted zone. To see an example of KeyManagementServiceArn that grants the correct permissions for DNSSEC, scroll down to Example.

You must configure the customer managed customer managed key as follows:

Status

Enabled

Key spec

ECC_NIST_P256

Key usage

Sign and verify

Key policy

The key policy must give permission for the following actions:

• DescribeKey
• GetPublicKey
• Sign

The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:

• "Service": "dnssec-route53.amazonaws.com"

For more information about working with a customer managed key in KMS, see Key Management Service concepts.

A string used to identify a key-signing key (KSK). Name can include numbers, letters, and underscores (_). Name must be unique for each key-signing key in the same hosted zone.

A string specifying the initial status of the key-signing key (KSK). You can set the value to ACTIVE or INACTIVE.

See: newCreateKeySigningKeyResponse smart constructor.

Create a value of CreateKeySigningKeyResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:httpStatus:CreateKeySigningKeyResponse', createKeySigningKeyResponse_httpStatus - The response's http status code.

$sel:changeInfo:CreateKeySigningKeyResponse', createKeySigningKeyResponse_changeInfo - Undocumented member.

$sel:keySigningKey:CreateKeySigningKeyResponse', createKeySigningKeyResponse_keySigningKey - The key-signing key (KSK) that the request creates.

$sel:location:CreateKeySigningKeyResponse', createKeySigningKeyResponse_location - The unique URL representing the new key-signing key (KSK).

The response's http status code.

Undocumented member.

The key-signing key (KSK) that the request creates.

The unique URL representing the new key-signing key (KSK).