Hey guys, I am looking for a little assistance. I am trying to setup DNSSEC in aws, that’s my registrar. I have zero experience in this area. I was going to put screen shots of aws console, but being a discourse rookie is no fun 
I am just trying to correlate the information from MiAB admin prompt to my registrar. Hopefully somebody could assist with a quick tutorial?
Any help is much appreciated!
Try listing the fields offered in the AWS interface.
Alright, so when I go to aws, under the DNSSEC this is the very first portion. It seems like there are 2 steps.
Enable DSNSEC signing
MiaB settings.Okay, I’ve yet to actually deal with this, but when they are asking for them to sign the zone, I think they mean using keys generated by their service. Your zone is actually signed by MiaB, so you don’t need to head down any paths of creating keys.
You need to discover where to enter your own information into the interface. Note that MiaB does provide the Public Key for each algorithm and I suspect there is a reason for this.
Unfortunately, I am just not at all familiar with AWS.
Are you using Route 53 to host your DNS or is Route 53 merely the registrar? In other words, did you follow the glue record and hostname parts of the Mail-in-a-Box Setup Guide?
Are you using Route 53 to host your DNS or is Route 53 merely the registrar?
I think it’s both. All my setup is in aws
In other words, did you follow the glue record and hostname parts of the Mail-in-a-Box Setup Guide?
I did
You need to discover where to enter your own information into the interface
Alright.
Thanks!
@supplyarray Both of your answers can’t be true. 
If Route 53 hosts your DNS, the none of the DNSSEC information provided by Mail-in-a-Box is relevant.
@JoshData 
I apologize, this is really not my realm. Please see below:
I think I got it. I was under the hosted zone section. I went to the registrar section, and there’s another DNSSEC section there.
Now under Key type: I can only choose 256 - ZSK and 257 - KSK. This does not seem to match however, the Key Tag or Key Flags in MiaB.
For the Algorithm I do can choose 13.
Then I would just add the Public Key. Is that all?
Thanks for the support!
The Key Type is listed in MiaB as Key Flags and is 257 - KSK.
Based on what I see here, it seems like they are asking for the Public key, which I’m guessing is the Public Key stated in MiaB.
You should click the ‘Learn more’ link and see what is there.
There is no need to delete keys until everything is working properly, assuming they permit multiple keys, which they should as it is permitted to have multiple RRsets per RFC.
Public key
Specify the public key from the asymmetric key pair that you used to configure DNSSEC with your DNS service provider.Note the following:
- Specify the public key, not the digest.
- You must specify the key in base64 format.
I think I guessed correctly, so paste in the public key from the MiaB interface for option 1. See what happens.
Use https://dnsviz.net to verity which keys are being used. Note it caches results for a long time (months, at least) so be sure to re-analyze after changes.
@openletter @JoshData Thanks much for the support. Adding the key in the last screen did it!
The analysis with https://dnsviz.net/ shows the 2 keys, and the warning signs are the same as MiAB not to sign with algorithm 7.
Is it safe to get rid of the RSASHA1_NSEC3_SHA1 key?
I’m pretty sure if it the MiaB status checks see it, then it should be fine.
Understood. Issue solved then! Thanks again for the support! 
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
