Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Amazon Exam SCS-C01 Topic 3 Question 63 Discussion

Actual exam question for Amazon's SCS-C01 exam
Question #: 63
Topic #: 3
[All SCS-C01 Questions]

A company wants to configure DNS Security Extensions (DNSSEC) for the company's primary domain. The company registers the domain with Amazon Route 53. The company hosts the domain on Amazon EC2 instances by using BIND.

What is the MOST operationally efficient solution that meets this requirement?

Show Suggested Answer Hide Answer
Suggested Answer: D

To configure DNSSEC for a domain registered with Route 53, the most operationally efficient solution is to migrate the zone to Route 53 with DNSSEC signing enabled, create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key, and add a delegation signer (DS) record to the parent zone. This way, Route 53 handles the zone-signing key (ZSK) and the signing of the records in the hosted zone, and the customer only needs to manage the KSK in AWS KMS and provide the DS record to the domain registrar. Option A is incorrect because it does not involve migrating the zone to Route 53, which would simplify the DNSSEC configuration. Option B is incorrect because it creates both a ZSK and a KSK based on AWS KMS customer managed keys, which is unnecessary and less efficient than letting Route 53 manage the ZSK. Option C is incorrect because it does not involve migrating the zone to Route 53, and it requires running the dnssec-signzone command manually, which is less efficient than letting Route 53 sign the zone automatically. Verified Reference:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html

https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon-route-53-support-dnssec/


by Harrison at Jun 23, 2024, 09:04 AM

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Melissa
5 months ago
Option B, all the way! Let's let AWS handle the heavy lifting. That way, we can focus on more important tasks, like browsing memes on the company time.
upvoted 0 times
Providencia
4 months ago
I agree, less work for us to do. Plus, more time for meme browsing!
upvoted 0 times
...
Anthony
4 months ago
Option B sounds like the best choice. Let AWS take care of the DNSSEC signing.
upvoted 0 times
...
...
Rosalia
5 months ago
Hmm, I'm not sure. Option C looks like it has more manual steps, but it might give us more control. I'll have to think about this one.
upvoted 0 times
Lashonda
4 months ago
True, Option C might offer more control over the process. It's worth considering the trade-offs.
upvoted 0 times
...
Kayleigh
5 months ago
Option C does seem to involve more manual steps, but it could provide better security measures.
upvoted 0 times
...
Shoshana
5 months ago
I agree, Option A sounds efficient. It's always good to go with the simplest option.
upvoted 0 times
...
Mi
5 months ago
Option A seems straightforward and simple. It might be the quickest solution.
upvoted 0 times
...
...
Lenny
5 months ago
I personally prefer option D. Migrating the zone to Route 53 with DNSSEC signing enabled and using AWS KMS for key management seems like a secure choice.
upvoted 0 times
...
Zita
5 months ago
Option D is my pick. Creating the KSK with AWS KMS and adding the DS record to the parent zone is a clean approach.
upvoted 0 times
Christene
5 months ago
I agree, Option D seems like the most secure and efficient solution for configuring DNSSEC with Route 53.
upvoted 0 times
...
Myong
5 months ago
Option D is definitely the way to go. Using AWS KMS for the KSK and adding the DS record is a secure choice.
upvoted 0 times
...
...
Tegan
6 months ago
That's a good point, Shaun. Option C does seem to provide a more comprehensive solution with the DS record generation.
upvoted 0 times
...
Shaun
6 months ago
I disagree, I believe option C is more efficient. It also involves setting dnssec-enable in BIND, but it generates a DS record using dnssec-signzone command.
upvoted 0 times
...
Adell
6 months ago
I agree with Roselle. Option B is the way to go. It's less hassle than managing the keys and signing process ourselves.
upvoted 0 times
...
Tegan
6 months ago
I think option A is the best choice. It involves configuring DNSSEC in BIND and creating ZSK and KSK keys.
upvoted 0 times
...
Roselle
6 months ago
Option B seems like the most straightforward solution. Leveraging AWS services like Route 53 and KMS makes it easy to set up DNSSEC.
upvoted 0 times
Wilbert
5 months ago
Option B does seem like the most efficient way to go. Using AWS services for DNSSEC setup simplifies the process.
upvoted 0 times
...
Lucille
5 months ago
C) Set the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK). Run the dnssec-signzone command to generate a delegation signer (DS) record Use AWS Key Management Service (AWS KMS) to secure the keys.
upvoted 0 times
...
Belen
5 months ago
B) Migrate the zone to Route 53 with DNSSEC signing enabled. Create a zone-signing key (ZSK) and a key-signing key (KSK) that are based on an AWS Key Management Service (AWS KMS) customer managed key.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77