Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C01 Topic 3 Question 58 Discussion

Actual exam question for Amazon's SCS-C01 exam
Question #: 58
Topic #: 3
[All SCS-C01 Questions]

A company wants to configure DNS Security Extensions (DNSSEC) for the company's primary domain. The company registers the domain with Amazon Route 53. The company hosts the domain on Amazon EC2 instances by using BIND.

What is the MOST operationally efficient solution that meets this requirement?

Show Suggested Answer Hide Answer
Suggested Answer: D

To configure DNSSEC for a domain registered with Route 53, the most operationally efficient solution is to migrate the zone to Route 53 with DNSSEC signing enabled, create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key, and add a delegation signer (DS) record to the parent zone. This way, Route 53 handles the zone-signing key (ZSK) and the signing of the records in the hosted zone, and the customer only needs to manage the KSK in AWS KMS and provide the DS record to the domain registrar. Option A is incorrect because it does not involve migrating the zone to Route 53, which would simplify the DNSSEC configuration. Option B is incorrect because it creates both a ZSK and a KSK based on AWS KMS customer managed keys, which is unnecessary and less efficient than letting Route 53 manage the ZSK. Option C is incorrect because it does not involve migrating the zone to Route 53, and it requires running the dnssec-signzone command manually, which is less efficient than letting Route 53 sign the zone automatically. Verified Reference:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html

https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon-route-53-support-dnssec/


Contribute your Thoughts:

Dexter
6 months ago
True, but option C also uses AWS KMS to secure the keys. It's a tough choice.
upvoted 0 times
...
Wilson
6 months ago
Option D mentions using AWS Key Management Service, which adds an extra layer of security.
upvoted 0 times
...
Lacresha
7 months ago
I'm leaning towards option C, it seems like a secure solution.
upvoted 0 times
...
Dexter
7 months ago
But option A allows us to host the domain on Amazon EC2 instances using BIND.
upvoted 0 times
...
Wilson
7 months ago
I disagree, I believe option D is more efficient.
upvoted 0 times
...
Dexter
7 months ago
I think option A is the best solution.
upvoted 0 times
...
Royce
8 months ago
That's also a valid approach, but we would need to create a delegation signer record using the dnssec-signzone command.
upvoted 0 times
...
Craig
8 months ago
Wouldn't it also be valid to set the dnssec-enable option to yes in the BIND configuration?
upvoted 0 times
...
Royce
8 months ago
Yes, that option involves creating a zone-signing key and a key-signing key based on an AWS KMS customer managed key.
upvoted 0 times
...
Craig
8 months ago
I think the best solution is to migrate the zone to Route 53 with DNSSEC signing enabled, right?
upvoted 0 times
Lorenza
7 months ago
Definitely. It's always good to have proper security measures in place.
upvoted 0 times
...
Rana
7 months ago
Yeah, AWS Key Management Service can help ensure secure key management.
upvoted 0 times
...
Ligia
8 months ago
Agreed. Migrating to Route 53 seems like a solid choice for DNSSEC.
upvoted 0 times
...
Harrison
8 months ago
That makes sense too, it's important to secure the keys.
upvoted 0 times
...
Vernice
8 months ago
D) Migrate the zone to Route 53 with DNSSEC signing enabled. Create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key. Add a delegation signer (DS) record to the parent zone.
upvoted 0 times
...
Jennifer
8 months ago
That sounds like a good option.
upvoted 0 times
...
Salena
8 months ago
B) Migrate the zone to Route 53 with DNSSEC signing enabled. Create a zone-signing key (ZSK) and a key-signing key (KSK) that are based on an AWS Key Management Service (AWS KMS) customer managed key.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77