Creates a new key signing key (KSK) associated with a hosted zone. You can only have two KSKs per hosted zone.
route53_create_key_signing_key(CallerReference, HostedZoneId,
KeyManagementServiceArn, Name, Status)[required] A unique string that identifies the request.
[required] The unique string (ID) used to identify a hosted zone.
[required] The Amazon resource name (ARN) for a customer managed key (CMK) in AWS
Key Management Service (KMS). The KeyManagementServiceArn must be
unique for each key signing key (KSK) in a single hosted zone. To see an
example of KeyManagementServiceArn that grants the correct permissions
for DNSSEC, scroll down to Example.
You must configure the CMK as follows:
Enabled
ECC\_NIST\_P256
Sign and verify
The key policy must give permission for the following actions:
DescribeKey
GetPublicKey
Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
"Service": "api-service.dnssec.route53.aws.internal"
For more information about working with CMK in KMS, see AWS Key Management Service concepts.
[required] An alphanumeric string used to identify a key signing key (KSK). Name
must be unique for each key signing key in the same hosted zone.
[required] A string specifying the initial status of the key signing key (KSK). You
can set the value to ACTIVE or INACTIVE.
svc$create_key_signing_key( CallerReference = "string", HostedZoneId = "string", KeyManagementServiceArn = "string", Name = "string", Status = "string" )