Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Route 53 DNSSEC #16836

Closed
gazoakley opened this issue Dec 18, 2020 · 7 comments
Closed

Support for Route 53 DNSSEC #16836

gazoakley opened this issue Dec 18, 2020 · 7 comments
Assignees
@bflad
Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/iam Issues and PRs that pertain to the iam service. service/kms Issues and PRs that pertain to the kms service. service/route53 Issues and PRs that pertain to the route53 service.
Milestone
v3.31.0

Comments

@gazoakley
Copy link
Contributor

gazoakley commented Dec 18, 2020
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Today, Amazon Web Services announced the launch of Domain Name System Security Extensions (DNSSEC) for Amazon Route 53. You can now enable DNSSEC signing for all existing and new public hosted zones, and enable DNSSEC validation for Amazon Route 53 Resolver. Amazon Route 53 DNSSEC provides data origin authentication and data integrity verification for DNS and can help customers meet compliance mandates, such as FedRAMP.

When you enable DNSSEC signing on a hosted zone, Route 53 cryptographically signs each record in that hosted zone. Route 53 manages the zone-signing key, and you can manage the key-signing key in AWS Key Management Service (AWS KMS). Amazon’s domain name registrar, Route 53 Domains, already supports DNSSEC, and customers can now register domains and host their DNS on Route 53 with DNSSEC signing enabled.

New or Affected Resource(s)

  • aws_route53_zone
  • aws_route53_key_signing_key

Potential Terraform Configuration

resource "aws_route53_zone" "example" {
  name = "example.com"
}

resource "aws_route53_key_signing_key" "example" {
  hosted_zone_id             = aws_route53_zone.example.id
  key_management_service_arn = aws_kms_key.example.arn
  name                       = "example_key"
  status                     = "ACTIVE"
}

resource "aws_route_53_zone_dnssec_enablement" "example" {
  depends_on     = [aws_route53_key_signing_key.example]
  hosted_zone_id = aws_route53_zone.example.id
}

resource "aws_kms_key" "example" {
  customer_master_key_spec = "ECC_NIST_P256"
  key_usage                = "SIGN_VERIFY"
  policy                   = data.aws_iam_policy_document.example.json
}

data "aws_iam_policy_document" "example" {
  statement {
    actions = [
      "kms:DescribeKey",
      "kms:GetPublicKey",
      "kms:Sign",
    ]
    resources = ["*"]

    principals {
      type        = "Service"
      identifiers = ["api-service.dnssec.route53.aws.internal"]
    }
  }
}

References
@gazoakley gazoakley added the enhancement Requests to existing resources that expand the functionality or scope. label Dec 18, 2020
@ghost ghost added the service/route53 Issues and PRs that pertain to the route53 service. label Dec 18, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Dec 18, 2020
@ghost ghost added service/iam Issues and PRs that pertain to the iam service. service/kms Issues and PRs that pertain to the kms service. labels Dec 18, 2020
@bflad bflad added new-resource Introduces a new resource. and removed needs-triage Waiting for first response or review from a maintainer. service/iam Issues and PRs that pertain to the iam service. service/kms Issues and PRs that pertain to the kms service. labels Dec 18, 2020
@ghost ghost added service/iam Issues and PRs that pertain to the iam service. service/kms Issues and PRs that pertain to the kms service. labels Dec 18, 2020
@bflad
Copy link
Contributor

bflad commented Dec 18, 2020
edited
Loading

Might also be good to create a separate issue for managing Route 53 Resolver DNSSEC: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dnssec-validation.html (backed by APIs like UpdateResolverDnssecConfig)

Available here: #16837

@bflad
Copy link
Contributor

bflad commented Dec 18, 2020
edited
Loading

Will merge in the required AWS Go SDK version 1.36.11 update after we cut today's release. I should be able to get the aws_route53_key_signing_key resource implementation up later today, but please note that it will most likely not be released until after the new year due to our annual holiday break.

@bflad bflad self-assigned this Dec 18, 2020
@bflad bflad mentioned this issue Dec 18, 2020
Merged
bflad added a commit that referenced this issue Dec 18, 2020
@bflad
New Resource: aws_route53_key_signing_key
dfbf334 
Reference: #16834
Reference: #16836

Output from acceptance testing in AWS Commercial:

```
--- PASS: TestAccAwsRoute53KeySigningKey_disappears (209.62s)
--- PASS: TestAccAwsRoute53KeySigningKey_basic (233.38s)
--- PASS: TestAccAwsRoute53KeySigningKey_Status (295.66s)
```
bflad added a commit that referenced this issue Jan 6, 2021
@bflad
New Resource: aws_route53_key_signing_key
9bbfb1d 
Reference: #16834
Reference: #16836

Output from acceptance testing in AWS Commercial:

```
--- PASS: TestAccAwsRoute53KeySigningKey_disappears (209.62s)
--- PASS: TestAccAwsRoute53KeySigningKey_basic (233.38s)
--- PASS: TestAccAwsRoute53KeySigningKey_Status (295.66s)
```
@swies0wl swies0wl mentioned this issue Jan 9, 2021
Closed
bflad added a commit that referenced this issue Jan 11, 2021
@bflad
New Resource: aws_route53_key_signing_key
dcfd137 
Reference: #16834
Reference: #16836

Output from acceptance testing in AWS Commercial:

```
--- PASS: TestAccAwsRoute53KeySigningKey_disappears (134.60s)
--- PASS: TestAccAwsRoute53KeySigningKey_basic (135.34s)
--- PASS: TestAccAwsRoute53KeySigningKey_Status (180.85s)
```
@Sohaib112
Copy link

When should we expect this to be available?

bflad added a commit that referenced this issue Feb 4, 2021
@bflad
New Resource: aws_route53_key_signing_key (#16840)
54d75b4 
* New Resource: aws_route53_key_signing_key

Reference: #16834
Reference: #16836

Output from acceptance testing in AWS Commercial:

```
--- PASS: TestAccAwsRoute53KeySigningKey_disappears (134.60s)
--- PASS: TestAccAwsRoute53KeySigningKey_basic (135.34s)
--- PASS: TestAccAwsRoute53KeySigningKey_Status (180.85s)
```

Output from acceptance testing in AWS GovCloud (US):

```
=== CONT  TestAccAwsRoute53KeySigningKey_basic
    route53_key_signing_key_test.go:40: Route 53 Key Signing Key not available in this AWS Partition
--- SKIP: TestAccAwsRoute53KeySigningKey_basic (2.52s)
=== CONT  TestAccAwsRoute53KeySigningKey_Status
    route53_key_signing_key_test.go:40: Route 53 Key Signing Key not available in this AWS Partition
=== CONT  TestAccAwsRoute53KeySigningKey_disappears
    route53_key_signing_key_test.go:40: Route 53 Key Signing Key not available in this AWS Partition
--- SKIP: TestAccAwsRoute53KeySigningKey_Status (2.52s)
--- SKIP: TestAccAwsRoute53KeySigningKey_disappears (2.52s)
```
@bflad
Copy link
Contributor

bflad commented Feb 4, 2021

The first part of this, an aws_route53_key_signing_key managed resource, has been merged and will release with version 3.27.0 of the Terraform AWS Provider later today. The next piece for managing Route 53 Hosted Zone DNSSEC configuration will be submitted in the next few days. Once that support is in, we can end-to-end test managing DS record set types.

bflad added a commit that referenced this issue Feb 5, 2021
@bflad
New Resource: aws_route53_hosted_zone_dnssec
edc0e80 
Reference: #16836

Output from acceptance testing in AWS Commercial:

```
--- PASS: TestAccAwsRoute53HostedZoneDnssec_basic (205.85s)
--- PASS: TestAccAwsRoute53HostedZoneDnssec_disappears (232.79s)
--- PASS: TestAccAwsRoute53HostedZoneDnssec_SigningStatus (284.80s)
```

Output from acceptance testing in AWS GovCloud (US):

```
--- SKIP: TestAccAwsRoute53HostedZoneDnssec_basic (2.37s)
--- SKIP: TestAccAwsRoute53HostedZoneDnssec_SigningStatus (2.37s)
--- SKIP: TestAccAwsRoute53HostedZoneDnssec_disappears (2.37s)
```
@bflad bflad mentioned this issue Feb 5, 2021
Merged
bflad added a commit that referenced this issue Mar 1, 2021
@bflad
New Resource: aws_route53_hosted_zone_dnssec (#17474)
0bfe068 
Reference: #16836

Output from acceptance testing in AWS Commercial:

```
--- PASS: TestAccAwsRoute53HostedZoneDnssec_basic (205.85s)
--- PASS: TestAccAwsRoute53HostedZoneDnssec_disappears (232.79s)
--- PASS: TestAccAwsRoute53HostedZoneDnssec_SigningStatus (284.80s)
```

Output from acceptance testing in AWS GovCloud (US):

```
--- SKIP: TestAccAwsRoute53HostedZoneDnssec_basic (2.37s)
--- SKIP: TestAccAwsRoute53HostedZoneDnssec_SigningStatus (2.37s)
--- SKIP: TestAccAwsRoute53HostedZoneDnssec_disappears (2.37s)
```
@bflad
Copy link
Contributor

bflad commented Mar 1, 2021

Support for a new aws_route53_hosted_zone_dnssec resource and DS record type support in the aws_route53_record resource has been merged. These features will release in version 3.31.0 of the Terraform AWS Provider, later this week. 👍

@bflad bflad closed this as completed Mar 1, 2021
@bflad bflad added this to the v3.31.0 milestone Mar 1, 2021
@ghost
Copy link

ghost commented Mar 5, 2021

This has been released in version 3.31.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Mar 31, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Mar 31, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/iam Issues and PRs that pertain to the iam service. service/kms Issues and PRs that pertain to the kms service. service/route53 Issues and PRs that pertain to the route53 service.
Projects
None yet
Milestone
v3.31.0
Development

No branches or pull requests
3 participants
@bflad @gazoakley @Sohaib112