Amazon Exam SCS-C01 Topic 1 Question 56 Discussion

Actual exam question for Amazon's SCS-C01 exam

Question #: 56
Topic #: 1

A company wants to configure DNS Security Extensions (DNSSEC) for the company's primary domain. The company registers the domain with Amazon Route 53. The company hosts the domain on Amazon EC2 instances by using BIND.

What is the MOST operationally efficient solution that meets this requirement?

ASet the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK) Restart the BIND service.

BMigrate the zone to Route 53 with DNSSEC signing enabled. Create a zone-signing key (ZSK) and a key-signing key (KSK) that are based on an AWS. Key Management Service (AWS KMS) customer managed key.

CSet the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK). Run the dnssec-signzone command to generate a delegation signer (DS) record Use AWS. Key Management Service (AWS KMS) to secure the keys.

DMigrate the zone to Route 53 with DNSSEC signing enabled. Create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key. Add a delegation signer (DS) record to the parent zone.

Show Suggested Answer

Suggested Answer: D

To configure DNSSEC for a domain registered with Route 53, the most operationally efficient solution is to migrate the zone to Route 53 with DNSSEC signing enabled, create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key, and add a delegation signer (DS) record to the parent zone. This way, Route 53 handles the zone-signing key (ZSK) and the signing of the records in the hosted zone, and the customer only needs to manage the KSK in AWS KMS and provide the DS record to the domain registrar. Option A is incorrect because it does not involve migrating the zone to Route 53, which would simplify the DNSSEC configuration. Option B is incorrect because it creates both a ZSK and a KSK based on AWS KMS customer managed keys, which is unnecessary and less efficient than letting Route 53 manage the ZSK. Option C is incorrect because it does not involve migrating the zone to Route 53, and it requires running the dnssec-signzone command manually, which is less efficient than letting Route 53 sign the zone automatically. Verified Reference:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html

https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon-route-53-support-dnssec/

by Ryan at Mar 17, 2024, 07:22 PM

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Willow

7 days ago

Ah, the age-old DNSSEC conundrum. I've been down this road before, and let me tell you, it's not pretty. But if I had to choose, I'd go with option B as well. Migrating to Route 53 and using AWS KMS seems like the most 'operationally efficient' solution, as the question puts it. Though I do wonder if the AWS KMS charges will add up over time...

upvoted 0 times

...

Page

8 days ago

You know, I was just reading about DNSSEC the other day. I think option B is the way to go. Letting Route 53 handle the DNSSEC signing and using AWS KMS for the keys seems like a no-brainer. It's the easiest way to get DNSSEC up and running without too much hassle.

upvoted 0 times

...

Muriel

9 days ago

Hmm, I'm not sure. Option C looks interesting, using BIND and AWS KMS, but I'm worried about the manual steps involved with generating the DS record. Option D also seems viable, but I'm not a fan of having to add the DS record to the parent zone.

upvoted 0 times

...

Rebbecca

10 days ago

This is a tricky one. DNSSEC can be a bit of a pain to set up, but it's crucial for securing our domain. I'm leaning towards option B - migrating to Route 53 with DNSSEC signing enabled and using AWS KMS for the keys. That seems like the most operationally efficient and secure solution.

upvoted 0 times

...