DevOps Articles

Curated articles, resources, tips and trends from the DevOps World.

DNSSEC in AWS, the best of the worst

4 years ago medium.com
DNSSEC in AWS, the best of the worst

Summary: This is a summary of an article originally published by the source. Read the full original article here →

AWS have made it fairly clear that they’re still not supporting DNSSEC in Route53, so let’s run through the options available. The goto at this point is to set up your application in AWS, hopefully behind a load balancer, then CNAME your external DNS onto it, as it good practice with AWS load balancers. This ends up looking something along the lines of: So the flow you end up with is, your user looks up app.securedomain.com, now has a valid DNSSEC setup which is great, picks up the CNAME to amazonaws.com, but unfortunately in-line with AWS’ abstinence from DNSSEC, isn’t signed.

This means that DNSSEC and CNAMES onto an AWS load balancer, won’t give you any extra security.

Just to call that out explicitly, setting up your DNS in a third party system, then adding A records to the AWS load balancer IPs, will work, to start with, then one day it will eventually fail as AWS eventually have replaced the IPs in your load balancer that you hardcoded.

Read More
Oh Dear
Oh Dear
The all-in-one monitoring tool for your entire website
Fathom
Fathom
Fathom Analytics: A Better Google Analytics Alternative
Namecheap
Namecheap
DevOpsChat Logo Your DevOps Community
Product
Useful Links

Made with pure grit © 2024 Jetpack Labs Inc. All rights reserved. www.jetpacklabs.com