createKeySigningKey method

Future<CreateKeySigningKeyResponse> createKeySigningKey({
  1. required String callerReference,
  2. required String hostedZoneId,
  3. required String keyManagementServiceArn,
  4. required String name,
  5. required String status,
})

Creates a new key-signing key (KSK) associated with a hosted zone. You can only have two KSKs per hosted zone.

May throw ConcurrentModification. May throw InvalidArgument. May throw InvalidInput. May throw InvalidKeySigningKeyName. May throw InvalidKeySigningKeyStatus. May throw InvalidKMSArn. May throw InvalidSigningStatus. May throw KeySigningKeyAlreadyExists. May throw NoSuchHostedZone. May throw TooManyKeySigningKeys.

Parameter callerReference : A unique string that identifies the request.

Parameter hostedZoneId : The unique string (ID) used to identify a hosted zone.

Parameter keyManagementServiceArn : The Amazon resource name (ARN) for a customer managed key in Key Management Service (KMS). The KeyManagementServiceArn must be unique for each key-signing key (KSK) in a single hosted zone. To see an example of KeyManagementServiceArn that grants the correct permissions for DNSSEC, scroll down to Example.

You must configure the customer managed customer managed key as follows:

Status
Enabled
Key spec
ECC_NIST_P256
Key usage
Sign and verify
Key policy
The key policy must give permission for the following actions:
  • DescribeKey
  • GetPublicKey
  • Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
  • "Service": "dnssec-route53.amazonaws.com"
For more information about working with a customer managed key in KMS, see Key Management Service concepts.

Parameter name : A string used to identify a key-signing key (KSK). Name can include numbers, letters, and underscores (_). Name must be unique for each key-signing key in the same hosted zone.

Parameter status : A string specifying the initial status of the key-signing key (KSK). You can set the value to ACTIVE or INACTIVE.

Implementation

Future<CreateKeySigningKeyResponse> createKeySigningKey({
  required String callerReference,
  required String hostedZoneId,
  required String keyManagementServiceArn,
  required String name,
  required String status,
}) async {
  final $result = await _protocol.sendRaw(
    method: 'POST',
    requestUri: '/2013-04-01/keysigningkey',
    payload: CreateKeySigningKeyRequest(
            callerReference: callerReference,
            hostedZoneId: hostedZoneId,
            keyManagementServiceArn: keyManagementServiceArn,
            name: name,
            status: status)
        .toXml('CreateKeySigningKeyRequest'),
    exceptionFnMap: _exceptionFns,
  );
  final $elem = await _s.xmlFromResponse($result);
  return CreateKeySigningKeyResponse(
    changeInfo: ChangeInfo.fromXml(_s.extractXmlChild($elem, 'ChangeInfo')!),
    keySigningKey:
        KeySigningKey.fromXml(_s.extractXmlChild($elem, 'KeySigningKey')!),
    location: _s.extractHeaderStringValue($result.headers, 'Location')!,
  );
}