Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 4 Question 12 Discussion

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.What should the security engineer do to resolve this error?
C) Create a Delegation Signer (DS) record in the parent hosted zone.
A) Replace the KSK with a zone-signing key (ZSK).
B) Deactivate and then activate the KSK.
D) Create a Delegation Signer (DS) record in the subdomain.

Amazon SCS-C02 Exam - Topic 4 Question 12 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 12
Topic #: 4
[All SCS-C02 Questions]

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

Show Suggested Answer Hide Answer
Suggested Answer: C

by Izetta at Feb 09, 2024, 09:07 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Artie
6 months ago
A KSK is different from a ZSK, so that option is out.
upvoted 0 times
...
Gilma
7 months ago
Deactivating the KSK sounds risky, not sure about that.
upvoted 0 times
...
Georgiann
7 months ago
Wait, can you really just fix it with a DS record?
upvoted 0 times
...
Kiley
7 months ago
Totally agree, that's the right move!
upvoted 0 times
...
Ezekiel
7 months ago
You need to create a DS record in the parent zone.
upvoted 0 times
...
Linn
7 months ago
I vaguely recall that activating the KSK again might help, but I don't know if that's the best solution. I should have reviewed that section more thoroughly.
upvoted 0 times
...
Sharee
8 months ago
I feel like replacing the KSK with a ZSK isn't the right move here. The KSK is supposed to be used for signing, right?
upvoted 0 times
...
Eulah
8 months ago
I think the error might be because the DS record isn't set up correctly. I practiced a similar question where we had to create a DS record in the parent zone.
upvoted 0 times
...
Kent
8 months ago
I remember something about needing a DS record for DNSSEC to establish the trust chain, but I'm not sure if it goes in the parent zone or the subdomain.
upvoted 0 times
...
Stephaine
8 months ago
Based on the options, it seems like creating a DS record in the parent hosted zone is the way to go. That should help establish the trust chain and resolve the error.
upvoted 0 times
...
Lonna
8 months ago
I'm a bit confused on the difference between a KSK and a zone-signing key (ZSK). I'll need to review those concepts before deciding on the right approach.
upvoted 0 times
...
Antonio
8 months ago
Okay, let's see here. The key-signing key (KSK) is already created, but there's a broken trust chain. I'm pretty sure the answer has to do with creating a Delegation Signer (DS) record somewhere.
upvoted 0 times
...
Elly
8 months ago
Hmm, this looks like a tricky DNSSEC question. I'll need to think through the steps carefully to make sure I don't miss anything.
upvoted 0 times
...
Carmen
8 months ago
Hmm, I'm not entirely sure about this one. The options seem to cover a range of information, but I'll need to think through which three are the most relevant for the technicians. Let me re-read the question a few times to make sure I understand it.
upvoted 0 times
...
Alica
8 months ago
Hmm, this is a tricky one. I'm leaning towards option A, RRC connection setup, since that's the initial signaling that happens when a UE successfully establishes an RRC connection. The statistics of those successful connections would likely trigger that setup signaling. But I'll double-check my understanding before answering.
upvoted 0 times
...
Shakira
8 months ago
Key strategy: Look for any logical implications. More power usually means more control, so I'm leaning toward True.
upvoted 0 times
...
Martina
8 months ago
I vaguely recall something about sight and usance being related to payment terms, not guarantees. This is tricky!
upvoted 0 times
...
Arlette
2 years ago
That's a good point, Donte. Maybe a combination of creating the DS record and replacing the KSK would be the best solution.
upvoted 0 times
...
Donte
2 years ago
But shouldn't the security engineer also consider replacing the KSK with a ZSK? That might help too.
upvoted 0 times
...
Carisa
2 years ago
I agree with Arlette. Creating a DS record in the parent hosted zone should establish the trust chain.
upvoted 0 times
...
Arlette
2 years ago
I think the security engineer should create a Delegation Signer (DS) record in the parent hosted zone. That should resolve the error.
upvoted 0 times
...
Alfreda
2 years ago
Alright, folks, let's stick to the task at hand. Option C is the way to go, no doubt about it. Time to ace this exam!
upvoted 0 times
...
Buck
2 years ago
Hah, you said it, Magdalene. DNSSEC, where the answers are made up and the trust chains don't matter. *rolls eyes*
upvoted 0 times
Cathern
2 years ago
C: Fingers crossed that it works this time!
upvoted 0 times
...
Lisandra
2 years ago
B: Good idea. Hopefully that resolves the trust chain error.
upvoted 0 times
...
Tien
2 years ago
A: Ok, let's try creating a Delegation Signer (DS) record in the subdomain.
upvoted 0 times
...
Fannie
2 years ago
D: That makes sense. Let's go with option D.
upvoted 0 times
...
Adell
2 years ago
C: No, D is the correct option. Create a Delegation Signer (DS) record in the subdomain.
upvoted 0 times
...
Nydia
2 years ago
B: I think C is the right answer. Create a Delegation Signer (DS) record in the parent hosted zone.
upvoted 0 times
...
Kaycee
2 years ago
A: Replace the KSK with a zone-signing key (ZSK).
upvoted 0 times
...
...
Magdalene
2 years ago
Exactly, that's the way to go. Gotta love those DNSSEC shenanigans, am I right? *chuckles*
upvoted 0 times
...
Doug
2 years ago
Aha, yes! Option C makes the most sense to me. The security engineer needs to create a DS record in the parent hosted zone to establish the trust chain. Brilliant!
upvoted 0 times
...

Save Cancel