Documentation

Information about the DNSSEC key.

You get this from your DNS provider and then give it to Route 53 (by using AssociateDelegationSignerToDomain) to pass it to the registry to establish the chain of trust.

See: newDnssecKey smart constructor.

Create a value of DnssecKey with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:algorithm:DnssecKey', dnssecKey_algorithm - The number of the public key’s cryptographic algorithm according to an IANA assignment.

If Route 53 is your DNS service, set this to 13.

For more information about enabling DNSSEC signing, see Enabling DNSSEC signing and establishing a chain of trust.

$sel:digest:DnssecKey', dnssecKey_digest - The delegation signer digest.

Digest is calculated from the public key provided using specified digest algorithm and this digest is the actual value returned from the registry nameservers as the value of DS records.

$sel:digestType:DnssecKey', dnssecKey_digestType - The number of the DS digest algorithm according to an IANA assignment.

For more information, see IANA for DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms.

$sel:flags:DnssecKey', dnssecKey_flags - Defines the type of key. It can be either a KSK (key-signing-key, value 257) or ZSK (zone-signing-key, value 256). Using KSK is always encouraged. Only use ZSK if your DNS provider isn't Route 53 and you don’t have KSK available.

If you have KSK and ZSK keys, always use KSK to create a delegations signer (DS) record. If you have ZSK keys only – use ZSK to create a DS record.

$sel:id:DnssecKey', dnssecKey_id - An ID assigned to each DS record created by AssociateDelegationSignerToDomain.

$sel:keyTag:DnssecKey', dnssecKey_keyTag - A numeric identification of the DNSKEY record referred to by this DS record.

$sel:publicKey:DnssecKey', dnssecKey_publicKey - The base64-encoded public key part of the key pair that is passed to the registry .

The number of the public key’s cryptographic algorithm according to an IANA assignment.

If Route 53 is your DNS service, set this to 13.

For more information about enabling DNSSEC signing, see Enabling DNSSEC signing and establishing a chain of trust.

The delegation signer digest.

Digest is calculated from the public key provided using specified digest algorithm and this digest is the actual value returned from the registry nameservers as the value of DS records.

The number of the DS digest algorithm according to an IANA assignment.

For more information, see IANA for DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms.

Defines the type of key. It can be either a KSK (key-signing-key, value 257) or ZSK (zone-signing-key, value 256). Using KSK is always encouraged. Only use ZSK if your DNS provider isn't Route 53 and you don’t have KSK available.

If you have KSK and ZSK keys, always use KSK to create a delegations signer (DS) record. If you have ZSK keys only – use ZSK to create a DS record.

An ID assigned to each DS record created by AssociateDelegationSignerToDomain.

A numeric identification of the DNSKEY record referred to by this DS record.

The base64-encoded public key part of the key pair that is passed to the registry .