Source: medium.com
DNSSEC in AWS, the best of the worst
AWS have made it fairly clear that they’re still not supporting DNSSEC in Route53, so let’s run through the options available. The goto at this point is to set up your application in AWS, hopefully behind a load balancer, then CNAME your external DNS onto it, as it good practice with AWS load balancers. This ends up looking something along the lines of: So the flow you end up with is, your user looks up app.securedomain.com, now has a valid DNSSEC setup which is great, picks up the CNAME to amazonaws.com, but unfortunately in-line with AWS’ abstinence from DNSSEC, isn’t signed.
This means that DNSSEC and CNAMES onto an AWS load balancer, won’t give you any extra security.
Just to call that out explicitly, setting up your DNS in a third party system, then adding A records to the AWS load balancer IPs, will work, to start with, then one day it will eventually fail as AWS eventually have replaced the IPs in your load balancer that you hardcoded.
This means that DNSSEC and CNAMES onto an AWS load balancer, won’t give you any extra security.
Just to call that out explicitly, setting up your DNS in a third party system, then adding A records to the AWS load balancer IPs, will work, to start with, then one day it will eventually fail as AWS eventually have replaced the IPs in your load balancer that you hardcoded.
Related Articles
Community Partners
DevOps Careers