My website is currently inaccessible due to the presence of a DS record in the parent zone, when I am using nameservers that don't support DNSSEC. See this question for more context.
I am using Amazon Route 53 as my registrar, and I can't see a way to remove the DS record using the interface. I tried the following steps, but it didn't work.
- Initially I was using Amazon Route 53 nameservers, which does not support DNSSEC. Therefore in the "DNSSEC Status" section it said "If you use a DNS service provider other than Route 53 and if the TLD registry supports DNSSEC, you can add and delete public keys from the TLD registry for the domain."
- I changed the namservers to Cloudflare's.
- I added a public key
- I removed the public key.
- I changed the nameservers back to Amazon's
However this did not work. "dig ds markfisher.photo" still shows a DS record and my website is still inaccessibly.
How can I remove the DS record? I can't transfer to another registrar, as I transferred the domain to Amazon within the last 60 days (much more recently in fact). Also I do not have a support package with AWS, so I can't get human help 🙁
Do I need to wait longer between performing the above steps, perhaps?
Best Answer
DS (and NS) record in upper zone is the result of setting on registrar side and not directly the part of the DNS zone it is related. Especially for DS record the "magic" is keyword disabling DNSSEC - once you are enabling DNSSEC for the zone, one of the step is provision DS record(s).
AWS doc for DNSSEC setup (Jan 8th 2020):
Deleting Public Keys for a Domain
When you're rotating keys or you're disabling DNSSEC for the domain, delete public keys using the following procedure before you disable DNSSEC with your DNS service provider. We recommend that you wait for up to three days to delete public keys after you rotate keys or disable DNSSEC with your DNS service provider. Note the following:
Important
To delete public keys for a domain
Find the key that you want to delete, and choose Delete.
When Route 53 receives a response from the registry, we send an email to the registrant contact for the domain. The email either confirms that the public key has been deleted from the domain at the registry or explains why the key couldn't be deleted.