Amazon Exam SCS-C02 Topic 4 Question 12 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 12
Topic #: 4

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

AReplace the KSK with a zone-signing key (ZSK).

BDeactivate and then activate the KSK.

CCreate a Delegation Signer (DS) record in the parent hosted zone.

DCreate a Delegation Signer (DS) record in the subdomain.

Show Suggested Answer

Suggested Answer: C

by Izetta at Feb 09, 2024, 09:07 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Alfreda

9 days ago

Alright, folks, let's stick to the task at hand. Option C is the way to go, no doubt about it. Time to ace this exam!

upvoted 0 times

...

Buck

10 days ago

Hah, you said it, Magdalene. DNSSEC, where the answers are made up and the trust chains don't matter. *rolls eyes*

upvoted 0 times

...

Magdalene

11 days ago

Exactly, that's the way to go. Gotta love those DNSSEC shenanigans, am I right? *chuckles*

upvoted 0 times

...

Doug

12 days ago

Aha, yes! Option C makes the most sense to me. The security engineer needs to create a DS record in the parent hosted zone to establish the trust chain. Brilliant!

upvoted 0 times

...