Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C01 Topic 1 Question 56 Discussion

Actual exam question for Amazon's SCS-C01 exam
Question #: 56
Topic #: 1
[All SCS-C01 Questions]

A company wants to configure DNS Security Extensions (DNSSEC) for the company's primary domain. The company registers the domain with Amazon Route 53. The company hosts the domain on Amazon EC2 instances by using BIND.

What is the MOST operationally efficient solution that meets this requirement?

Show Suggested Answer Hide Answer
Suggested Answer: D

To configure DNSSEC for a domain registered with Route 53, the most operationally efficient solution is to migrate the zone to Route 53 with DNSSEC signing enabled, create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key, and add a delegation signer (DS) record to the parent zone. This way, Route 53 handles the zone-signing key (ZSK) and the signing of the records in the hosted zone, and the customer only needs to manage the KSK in AWS KMS and provide the DS record to the domain registrar. Option A is incorrect because it does not involve migrating the zone to Route 53, which would simplify the DNSSEC configuration. Option B is incorrect because it creates both a ZSK and a KSK based on AWS KMS customer managed keys, which is unnecessary and less efficient than letting Route 53 manage the ZSK. Option C is incorrect because it does not involve migrating the zone to Route 53, and it requires running the dnssec-signzone command manually, which is less efficient than letting Route 53 sign the zone automatically. Verified Reference:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html

https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon-route-53-support-dnssec/


Contribute your Thoughts:

Aretha
5 months ago
I'm leaning towards option D. Migrating to Route 53 and using AWS KMS for KSK seems like a strong choice.
upvoted 0 times
...
Jacquelyne
5 months ago
I personally prefer option C. Running dnssec-signzone to generate DS record and using AWS KMS sounds secure.
upvoted 0 times
...
Fannie
5 months ago
But option B also sounds good. Migrating to Route 53 with DNSSEC signing enabled could simplify things.
upvoted 0 times
...
Shoshana
6 months ago
I agree with Winfred. Setting dnssec-enable to yes in BIND and creating ZSK and KSK seems straightforward.
upvoted 0 times
...
Winfred
6 months ago
I think option A is the most operationally efficient solution.
upvoted 0 times
...
Tawna
6 months ago
I prefer option A. Setting dnssec-enable to yes in BIND configuration and creating ZSK and KSK seems like a straightforward solution.
upvoted 0 times
...
Margery
6 months ago
I'm not sure about option D. Adding a delegation signer (DS) record to the parent zone might complicate things.
upvoted 0 times
...
Peggie
7 months ago
I agree with you, Willard. Using AWS Key Management Service for managing the keys adds an extra layer of security.
upvoted 0 times
...
Willard
7 months ago
I think option B sounds good. Migrating the zone to Route 53 with DNSSEC signing enabled seems like a secure solution.
upvoted 0 times
...
Willow
8 months ago
Ah, the age-old DNSSEC conundrum. I've been down this road before, and let me tell you, it's not pretty. But if I had to choose, I'd go with option B as well. Migrating to Route 53 and using AWS KMS seems like the most 'operationally efficient' solution, as the question puts it. Though I do wonder if the AWS KMS charges will add up over time...
upvoted 0 times
Zoila
7 months ago
A: Definitely, security is crucial when it comes to DNSSEC implementation.
upvoted 0 times
...
Natalie
7 months ago
C: Plus, AWS KMS integration might provide added security benefits.
upvoted 0 times
...
Gennie
8 months ago
B: That's a good point. Managing keys and DNSSEC in one place could simplify things.
upvoted 0 times
...
Lynda
8 months ago
A: Option D does sound efficient as well, but setting up everything in Route 53 directly might be easier to manage.
upvoted 0 times
...
Eliseo
8 months ago
C: What about option D? Migrating to Route 53 with DNSSEC signing enabled and using AWS KMS for the key-signing key.
upvoted 0 times
...
Benton
8 months ago
B: True, that does seem like a straightforward solution for DNSSEC.
upvoted 0 times
...
Yuette
8 months ago
A: Migrate the zone to Route 53 with DNSSEC signing enabled. Create a zone-signing key (ZSK) and a key-signing key (KSK) that are based on an AWS Key Management Service (AWS KMS) customer managed key.
upvoted 0 times
...
...
Page
8 months ago
You know, I was just reading about DNSSEC the other day. I think option B is the way to go. Letting Route 53 handle the DNSSEC signing and using AWS KMS for the keys seems like a no-brainer. It's the easiest way to get DNSSEC up and running without too much hassle.
upvoted 0 times
...
Muriel
8 months ago
Hmm, I'm not sure. Option C looks interesting, using BIND and AWS KMS, but I'm worried about the manual steps involved with generating the DS record. Option D also seems viable, but I'm not a fan of having to add the DS record to the parent zone.
upvoted 0 times
...
Rebbecca
8 months ago
This is a tricky one. DNSSEC can be a bit of a pain to set up, but it's crucial for securing our domain. I'm leaning towards option B - migrating to Route 53 with DNSSEC signing enabled and using AWS KMS for the keys. That seems like the most operationally efficient and secure solution.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77