How do I remove a DS record from my parent zone using Amazon Route 53?

Solution 1:

DS (and NS) record in upper zone is the result of setting on registrar side and not directly the part of the DNS zone it is related. Especially for DS record the "magic" is keyword disabling DNSSEC - once you are enabling DNSSEC for the zone, one of the step is provision DS record(s).

AWS doc for DNSSEC setup (Jan 8th 2020):

Deleting Public Keys for a Domain

When you're rotating keys or you're disabling DNSSEC for the domain, delete public keys using the following procedure before you disable DNSSEC with your DNS service provider. We recommend that you wait for up to three days to delete public keys after you rotate keys or disable DNSSEC with your DNS service provider. Note the following:

  • If you're rotating public keys, we recommend that you wait for up to three days after you add the new public keys to delete the old public keys.
  • If you're disabling DNSSEC, delete public keys for the domain first. We recommend that you wait for up to three days before you disable DNSSEC with the DNS service for the domain.

Important

  • If DNSSEC is enabled for the domain and you disable DNSSEC with the DNS service, DNS resolvers that support DNSSEC will return a SERVFAIL error to clients, and the clients won't be able to access the endpoints that are associated with the domain.

To delete public keys for a domain

  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.
  2. In the navigation pane, choose Registered domains.
  3. Choose the name of the domain that you want to delete keys from.
  4. At the DNSSEC status field, choose Manage keys.
  5. Find the key that you want to delete, and choose Delete.

    • Note : You can only delete one public key at a time. If you need to delete more keys, wait until you receive a confirmation email from Amazon Route 53.
  6. When Route 53 receives a response from the registry, we send an email to the registrant contact for the domain. The email either confirms that the public key has been deleted from the domain at the registry or explains why the key couldn't be deleted.