On AWS during DS record creation I get an error, DS record with DNS name ex.com not permitted in zone ex.com. Why might this be?

Environment: AWS, DNSSEC

When I attempt to create a DS record to establish a chain of trust I get an error that I don't understand.

My full error.

Error occurred
Bad request.
(InvalidChangeBatch 400: RRSet of type DS with DNS name example.com. is not permitted in zone example.com.)

Oddly enough when I attempt to add the key to a subdomain like www.example.com it works. But that's not what I need. I need it to work for the entire domain.


Solution 1:

The DS record for example.com would go in the com zone as part of the delegation, not in the example.com zone itself. This is how the chain of trust is formed, you get the DS with a signature from the already validated/trusted parent zone.
(In such an example, it would be managed through your registrar.)

Similarly, if you were to delegate eg sub.example.com somewhere else you would have the DS (if applicable) in the example.com zone as part of the delegation for sub.example.com. (Which is why you can add DS for other names.)