PeterLi · September 20, 2022 23:32
diff --git a/Enabling DNSSEC for domains registered on GoDaddy and Managed on AWS Route53 with Load Balancer - SOLVED and finally working b/Enabling DNSSEC for domains registered on GoDaddy and Managed on AWS Route53 with Load Balancer - SOLVED and finally working
 First what is DNSSEC and other info of interest:

 A nice overview and explanation: 
    https://www.upguard.com/blog/dnssec

 Which led me to want to know more about Root Authority, and also Root Cert Authorities:
    https://www.makeuseof.com/tag/your-data-given-to-nsa/ - scary
    https://www.tomshardware.com/news/google-bans-cnnic-root-ca,28873.html - nothing surprising
    https://www.iana.org/domains/root/servers - looks like mostly US entities, who ultimately will do what the government says. Looks like one country controls the internet.


 The configuration of the existing problem:
    - DNS entry say mydomain.com is registered in GoDaddy and has various subdomains and what not setup for Google Apps and AWS infrastructure like load balancers via CNAME
    - AWS currently NOT managing DNS for mydomain.com


 Attempts:
 (A) Initially attempted to use the 'do it' button in GoDaddy to enable DNSSEC, however encountered an error. However another colleague did enable it, but also resulted in an incomplete setup of DNSSEC with warnings/errors left right and center. 

 Used the following tools to check:
    https://dnsviz.net
    https://dnssec-analyzer.verisignlabs.com

 (B) Decided to migrate control and management (but not registration) of mydomain.com to AWS Route53, followed these instructions:
    https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/migrate-dns-domain-in-use.html

    Key points:
    - reduce the TTL for various records to not be crazy long like from 48 hrs to an hour etc or to whatever is manageable.
    - export (or manually copy/paste) from existing GoDaddy (or other Registrar) and import into AWS Route53 under a new Zone (mydomain.com)
    - final task is to update the NS records on GoDaddy to point to AWS's name servers. Once done in GoDaddy it will indicate that they no longer manage the DNS. HOWEVER YOU WILL STILL NEED TO USE THEM TO CONFIGURE DNSSEC PROPERLY!!

    Next step is to enable DNSSEC:
    https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-enable-signing.html

    Key Points:
    - reduce TTL to allow reduced downtime when switching over or if something were to go wrong, allowing quick rollback
    - when adding DS record to mydomain.com, in AWS create a new record of type DS, and for the record name they say enter the zone name, in short the record name is actually "mydomain.com.mydomain.com" as odd as this looks this is what they mean. This then enables/shows the entry in the record type dropdown for "DS - Delegation Signer, used to establish a chain of trust for DNSSEC". 
    - since the original registrar is GoDaddy, we need to use the details in the following to configure GoDaddy to allow the parent zone to properly recognize our domain, namely ".com" recognizes and signs "mydomain.com"
      AWS > Route 53 > Hosted Zones > mydomain.com > DNSSEC signing > View Information to create DS record > Establish a chain of trust > Another domain registrar
           GoDaddy needs:
                - Key Tag
                - Signing Algorithm Type
                - Digest Algorithm Type
                - Digest


    Next Step is to configure the DS for parent zone of mydomain.com in GoDaddy:

        GoDaddy > My Domains > mydomain.com > Manage DNS > DNS Records (which looks empty) click on the "..." button and select "DNSSEC"

 	Create a new DS Record using the details above (Key Tag, Signing Algorithm Type, Digest Algorithm Type, Digest), and save.

 	If all goes well, mydomain.com will have all its tick boxes ticked in the checking tool like https://dnssec-analyzer.verisignlabs.com. BUT for subdomains say subdomain.mydomain.com it will be erroneous still, as it will complain of things like follows:

         amazonaws.com
              - No DS records found for amazonaws.com in the com zone
              - No DNSKEY records found

         ap-southeast-2.elb.amazonaws.com
              - No DS records found for ap-southeast-2.elb.amazonaws.com in the amazonaws.com zone
              - No DNSKEY records found
              - No RRSIGs found
         etc.

         So it seems AWS don't really do the DNSSEC stuff internally, and only really added DNSSEC for Route53 (@Sep 2022 anyway).

         Thus to resolve this problem and have tick marks across everything in the checking tool, we need to update our DNS entries for our subdomain which used CNAME to a load balancer to use an A (Alias) record instead.

         eg subdomain.mydomain.com is a CNAME to say subdomain-alb-453214624.ap-southeast-2.elb.amazonaws.com

         we now need to edit this record to be (in AWS DNS - Edit Record UI):

              Record name: "subdomain" - in our example of subdomain.mydomain.com
              Record Type: "A – Routes traffic to an IPv4 address and some AWS resources"
              Alias slider switch: ON
              Route traffic to:
                 - "Alias to Application and Classic Load Balancer"
                 - "Asia Pacific (Sydney) [ap-southeast-2]" - or whatever is applicable in your case
                 - "dualstack.subdomain-alb-453214624.ap-southeast-2.elb.amazonaws.com" - or whatever is applicable in your case
              Routing Policy: Simple routing

         Save the details and wait for the updated DNS changes to propagate - this is why a lower TTL during this time helps.


         Go back to the tools like https://dnssec-analyzer.verisignlabs.com, type in your domain and subdomains and you should now have all tick boxes! Yay!


 Parting Notes:

 - if you happen to have other environments eg TEST environment that was setup in a different AWS account then this CNAME to A record trick will not work, as you will not be able to select the load balancer or other resources from the dropdown list. This is a challenge for another day. Its going to either be a migration to one AWS account, or an ability to share resources across AWS accounts.
	First what is DNSSEC and other info of interest:

	A nice overview and explanation:
	https://www.upguard.com/blog/dnssec

	Which led me to want to know more about Root Authority, and also Root Cert Authorities:
	https://www.makeuseof.com/tag/your-data-given-to-nsa/ - scary
	https://www.tomshardware.com/news/google-bans-cnnic-root-ca,28873.html - nothing surprising
	https://www.iana.org/domains/root/servers - looks like mostly US entities, who ultimately will do what the government says. Looks like one country controls the internet.


	The configuration of the existing problem:
	- DNS entry say mydomain.com is registered in GoDaddy and has various subdomains and what not setup for Google Apps and AWS infrastructure like load balancers via CNAME
	- AWS currently NOT managing DNS for mydomain.com


	Attempts:
	(A) Initially attempted to use the 'do it' button in GoDaddy to enable DNSSEC, however encountered an error. However another colleague did enable it, but also resulted in an incomplete setup of DNSSEC with warnings/errors left right and center.

	Used the following tools to check:
	https://dnsviz.net
	https://dnssec-analyzer.verisignlabs.com

	(B) Decided to migrate control and management (but not registration) of mydomain.com to AWS Route53, followed these instructions:
	https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/migrate-dns-domain-in-use.html

	Key points:
	- reduce the TTL for various records to not be crazy long like from 48 hrs to an hour etc or to whatever is manageable.
	- export (or manually copy/paste) from existing GoDaddy (or other Registrar) and import into AWS Route53 under a new Zone (mydomain.com)
	- final task is to update the NS records on GoDaddy to point to AWS's name servers. Once done in GoDaddy it will indicate that they no longer manage the DNS. HOWEVER YOU WILL STILL NEED TO USE THEM TO CONFIGURE DNSSEC PROPERLY!!

	Next step is to enable DNSSEC:
	https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-enable-signing.html

	Key Points:
	- reduce TTL to allow reduced downtime when switching over or if something were to go wrong, allowing quick rollback
	- when adding DS record to mydomain.com, in AWS create a new record of type DS, and for the record name they say enter the zone name, in short the record name is actually "mydomain.com.mydomain.com" as odd as this looks this is what they mean. This then enables/shows the entry in the record type dropdown for "DS - Delegation Signer, used to establish a chain of trust for DNSSEC".
	- since the original registrar is GoDaddy, we need to use the details in the following to configure GoDaddy to allow the parent zone to properly recognize our domain, namely ".com" recognizes and signs "mydomain.com"
	AWS > Route 53 > Hosted Zones > mydomain.com > DNSSEC signing > View Information to create DS record > Establish a chain of trust > Another domain registrar
	GoDaddy needs:
	- Key Tag
	- Signing Algorithm Type
	- Digest Algorithm Type
	- Digest


	Next Step is to configure the DS for parent zone of mydomain.com in GoDaddy:

	GoDaddy > My Domains > mydomain.com > Manage DNS > DNS Records (which looks empty) click on the "..." button and select "DNSSEC"

	Create a new DS Record using the details above (Key Tag, Signing Algorithm Type, Digest Algorithm Type, Digest), and save.

	If all goes well, mydomain.com will have all its tick boxes ticked in the checking tool like https://dnssec-analyzer.verisignlabs.com. BUT for subdomains say subdomain.mydomain.com it will be erroneous still, as it will complain of things like follows:

	amazonaws.com
	- No DS records found for amazonaws.com in the com zone
	- No DNSKEY records found

	ap-southeast-2.elb.amazonaws.com
	- No DS records found for ap-southeast-2.elb.amazonaws.com in the amazonaws.com zone
	- No DNSKEY records found
	- No RRSIGs found
	etc.

	So it seems AWS don't really do the DNSSEC stuff internally, and only really added DNSSEC for Route53 (@Sep 2022 anyway).

	Thus to resolve this problem and have tick marks across everything in the checking tool, we need to update our DNS entries for our subdomain which used CNAME to a load balancer to use an A (Alias) record instead.

	eg subdomain.mydomain.com is a CNAME to say subdomain-alb-453214624.ap-southeast-2.elb.amazonaws.com

	we now need to edit this record to be (in AWS DNS - Edit Record UI):

	Record name: "subdomain" - in our example of subdomain.mydomain.com
	Record Type: "A – Routes traffic to an IPv4 address and some AWS resources"
	Alias slider switch: ON
	Route traffic to:
	- "Alias to Application and Classic Load Balancer"
	- "Asia Pacific (Sydney) [ap-southeast-2]" - or whatever is applicable in your case
	- "dualstack.subdomain-alb-453214624.ap-southeast-2.elb.amazonaws.com" - or whatever is applicable in your case
	Routing Policy: Simple routing

	Save the details and wait for the updated DNS changes to propagate - this is why a lower TTL during this time helps.


	Go back to the tools like https://dnssec-analyzer.verisignlabs.com, type in your domain and subdomains and you should now have all tick boxes! Yay!


	Parting Notes:

	- if you happen to have other environments eg TEST environment that was setup in a different AWS account then this CNAME to A record trick will not work, as you will not be able to select the load balancer or other resources from the dropdown list. This is a challenge for another day. Its going to either be a migration to one AWS account, or an ability to share resources across AWS accounts.