Amazon Exam SCS-C02 Topic 6 Question 31 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 31
Topic #: 6

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.

What should the security engineer do to resolve this error?

AReplace the KSK with a zone-signing key (ZSK).

BDeactivate and then activate the KSK.

CCreate a Delegation Signer (DS) record in the parent hosted zone.

DCreate a Delegation Signer (DS) record in the subdomain.

Show Suggested Answer

Suggested Answer: C

by Brice at Sep 16, 2024, 10:33 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Kanisha

3 months ago

Haha, I bet the security engineer is scratching their head right now. Don't worry, buddy, C is the way to go!

upvoted 0 times

Kendra

2 months ago

Thanks for the tip! I'll go with option C then.

upvoted 0 times

...

Jordan

2 months ago

Yeah, creating a Delegation Signer (DS) record in the parent hosted zone should resolve the error.

upvoted 0 times

...

Ernie

2 months ago

I think C is the correct answer.

upvoted 0 times

...

Reita

3 months ago

I'm not sure, but maybe replacing the KSK with a ZSK could also fix the issue.

upvoted 0 times

...

Elin

3 months ago

Ah, I see. The security engineer needs to establish the trust chain by adding the DS record in the parent hosted zone. That should do the trick!

upvoted 0 times

...

Jovita

3 months ago

I agree with William. Creating a DS record in the parent hosted zone should resolve the broken trust chain error.

upvoted 0 times

...

Tamala

3 months ago

Hmm, I think the answer is C. Creating a Delegation Signer (DS) record in the parent hosted zone seems like the logical step to resolve the broken trust chain.

upvoted 0 times

Miriam

2 months ago

That's a good point, using a ZSK instead of a KSK could potentially resolve the issue as well.

upvoted 0 times

...

Lavonne

2 months ago

But wouldn't replacing the KSK with a ZSK also help in resolving the error?

upvoted 0 times

...

Dominic

2 months ago

I agree, creating a DS record in the parent hosted zone should establish the trust chain correctly.

upvoted 0 times

...

Jackie

2 months ago

A: Let's go ahead and try creating the DS record in the parent hosted zone to see if it resolves the error.

upvoted 0 times

...

Tina

2 months ago

B: Yeah, that sounds like the right solution to fix the broken trust chain.

upvoted 0 times

...

Joni

2 months ago

A: I think the answer is C too. It makes sense to create a Delegation Signer (DS) record in the parent hosted zone.

upvoted 0 times

...

Alida

3 months ago

I think the answer is C. Creating a Delegation Signer (DS) record in the parent hosted zone seems like the logical step to resolve the broken trust chain.

upvoted 0 times

...

William

4 months ago

I think the security engineer should create a Delegation Signer (DS) record in the parent hosted zone.

upvoted 0 times

...