Topic 1 Question 185
A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.
What should the security engineer do to resolve this error?
Replace the KSK with a zone-signing key (ZSK).
Deactivate and then activate the KSK.
Create a Delegation Signer (DS) record in the parent hosted zone.
Create a Delegation Signer (DS) record in the subdomain.
ユーザの投票
コメント(2)
- 正解だと思う選択肢: C
DS record must be created in the parent hosted zone to properly link the DNSSEC configuration of the subdomain with its parent zone
👍 5mikelord2024/10/03 - 正解だと思う選択肢: C
To resolve the broken trust chain error, the security engineer should:
C. Create a Delegation Signer (DS) record in the parent hosted zone.
The DS record in the parent zone is essential for establishing the chain of trust between the parent and the child zone. This record contains a hash of the child zone’s DNSKEY, which allows DNS resolvers to verify the authenticity of the DNSKEY in the child zone.
👍 1IPLogic2024/12/03
シャッフルモード