How do I remove a DS record from my parent zone using Amazon Route 53?

Question

My website is currently inaccessible due to the presence of a DS record in the parent zone, when I am using nameservers that don't support DNSSEC. See this question for more context.

I am using Amazon Route 53 as my registrar, and I can't see a way to remove the DS record using the interface. I tried the following steps, but it didn't work.

1. Initially I was using Amazon Route 53 nameservers, which does not support DNSSEC. Therefore in the "DNSSEC Status" section it said "If you use a DNS service provider other than Route 53 and if the TLD registry supports DNSSEC, you can add and delete public keys from the TLD registry for the domain."
2. I changed the namservers to Cloudflare's.
3. I added a public key
4. I removed the public key.
5. I changed the nameservers back to Amazon's

However this did not work. "dig ds markfisher.photo" still shows a DS record and my website is still inaccessibly.

How can I remove the DS record? I can't transfer to another registrar, as I transferred the domain to Amazon within the last 60 days (much more recently in fact). Also I do not have a support package with AWS, so I can't get human help :(

Do I need to wait longer between performing the above steps, perhaps?

Answer 1

DS (and NS) record in upper zone is the result of setting on registrar side and not directly the part of the DNS zone it is related. Especially for DS record the "magic" is keyword disabling DNSSEC - once you are enabling DNSSEC for the zone, one of the step is provision DS record(s).

AWS doc for DNSSEC setup (Jan 8th 2020):

Deleting Public Keys for a Domain

When you're rotating keys or you're disabling DNSSEC for the domain, delete public keys using the following procedure before you disable DNSSEC with your DNS service provider. We recommend that you wait for up to three days to delete public keys after you rotate keys or disable DNSSEC with your DNS service provider. Note the following:

• If you're rotating public keys, we recommend that you wait for up to three days after you add the new public keys to delete the old public keys.
• If you're disabling DNSSEC, delete public keys for the domain first. We recommend that you wait for up to three days before you disable DNSSEC with the DNS service for the domain.

Important

• If DNSSEC is enabled for the domain and you disable DNSSEC with the DNS service, DNS resolvers that support DNSSEC will return a SERVFAIL error to clients, and the clients won't be able to access the endpoints that are associated with the domain.

To delete public keys for a domain

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.
2. In the navigation pane, choose Registered domains.
3. Choose the name of the domain that you want to delete keys from.
4. At the DNSSEC status field, choose Manage keys.

5. Find the key that you want to delete, and choose Delete.

   • Note : You can only delete one public key at a time. If you need to delete more keys, wait until you receive a confirmation email from Amazon Route 53.

6. When Route 53 receives a response from the registry, we send an email to the registrant contact for the domain. The email either confirms that the public key has been deleted from the domain at the registry or explains why the key couldn't be deleted.