On AWS during DS record creation I get an error, DS record with DNS name ex.com not permitted in zone ex.com. Why might this be?
Environment: AWS, DNSSEC
When I attempt to create a DS record to establish a chain of trust I get an error that I don't understand.
My full error.
Error occurred
Bad request.
(InvalidChangeBatch 400: RRSet of type DS with DNS name example.com. is not permitted in zone example.com.)
Oddly enough when I attempt to add the key to a subdomain like www.example.com it works. But that's not what I need. I need it to work for the entire domain.
Solution 1:
The DS
record for example.com
would go in the com
zone as part of the delegation, not in the example.com
zone itself. This is how the chain of trust is formed, you get the DS
with a signature from the already validated/trusted parent zone.
(In such an example, it would be managed through your registrar.)
Similarly, if you were to delegate eg sub.example.com
somewhere else you would have the DS
(if applicable) in the example.com
zone as part of the delegation for sub.example.com
. (Which is why you can add DS
for other names.)