Skip to content

/AWS1/IF_R53=>CREATEKEYSIGNINGKEY()

About CreateKeySigningKey

Creates a new key-signing key (KSK) associated with a hosted zone. You can only have two KSKs per hosted zone.

Method Signature

METHODS /AWS1/IF_R53~CREATEKEYSIGNINGKEY
  IMPORTING
    !IV_CALLERREFERENCE TYPE /AWS1/R53NONCE OPTIONAL
    !IV_HOSTEDZONEID TYPE /AWS1/R53RESOURCEID OPTIONAL
    !IV_KEYMANAGEMENTSERVICEARN TYPE /AWS1/R53SIGNINGKEYSTRING OPTIONAL
    !IV_NAME TYPE /AWS1/R53SIGNINGKEYNAME OPTIONAL
    !IV_STATUS TYPE /AWS1/R53SIGNINGKEYSTATUS OPTIONAL
  RETURNING
    VALUE(OO_OUTPUT) TYPE REF TO /aws1/cl_r53crekeysigningkey01
  RAISING
    /AWS1/CX_R53CONCURRENTMOD
    /AWS1/CX_R53INVALIDARGUMENT
    /AWS1/CX_R53INVALIDINPUT
    /AWS1/CX_R53INVKEYSIGNINGKEY00
    /AWS1/CX_R53INVKEYSIGNINGKEY01
    /AWS1/CX_R53INVALIDKMSARN
    /AWS1/CX_R53INVSIGNINGSTATUS
    /AWS1/CX_R53KEYSIGNINGKEYALREX
    /AWS1/CX_R53NOSUCHHOSTEDZONE
    /AWS1/CX_R53TOOMANYKEYSIGNIN00
    /AWS1/CX_R53CLIENTEXC
    /AWS1/CX_R53SERVEREXC
    /AWS1/CX_RT_TECHNICAL_GENERIC
    /AWS1/CX_RT_SERVICE_GENERIC.

IMPORTING

Required arguments:

iv_callerreference TYPE /AWS1/R53NONCE /AWS1/R53NONCE

A unique string that identifies the request.

iv_hostedzoneid TYPE /AWS1/R53RESOURCEID /AWS1/R53RESOURCEID

The unique string (ID) used to identify a hosted zone.

iv_keymanagementservicearn TYPE /AWS1/R53SIGNINGKEYSTRING /AWS1/R53SIGNINGKEYSTRING

The Amazon resource name (ARN) for a customer managed key in Key Management Service (KMS). The KeyManagementServiceArn must be unique for each key-signing key (KSK) in a single hosted zone. To see an example of KeyManagementServiceArn that grants the correct permissions for DNSSEC, scroll down to Example.

You must configure the customer managed customer managed key as follows:

Status

Enabled

Key spec

ECC_NIST_P256

Key usage

Sign and verify

Key policy

The key policy must give permission for the following actions:

  • DescribeKey

  • GetPublicKey

  • Sign

The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:

  • "Service": "dnssec-route53.amazonaws.com"

For more information about working with a customer managed key in KMS, see Key Management Service concepts.

iv_name TYPE /AWS1/R53SIGNINGKEYNAME /AWS1/R53SIGNINGKEYNAME

A string used to identify a key-signing key (KSK). Name can include numbers, letters, and underscores (_). Name must be unique for each key-signing key in the same hosted zone.

iv_status TYPE /AWS1/R53SIGNINGKEYSTATUS /AWS1/R53SIGNINGKEYSTATUS

A string specifying the initial status of the key-signing key (KSK). You can set the value to ACTIVE or INACTIVE.

RETURNING

oo_output TYPE REF TO /aws1/cl_r53crekeysigningkey01 /AWS1/CL_R53CREKEYSIGNINGKEY01

Domain /AWS1/RT_ACCOUNT_ID
Primitive Type NUMC

Examples

Syntax Example

This is an example of the syntax for calling the method. It includes every possible argument and initializes every possible value. The data provided is not necessarily semantically accurate (for example the value "string" may be provided for something that is intended to be an instance ID, or in some cases two arguments may be mutually exclusive). The syntax shows the ABAP syntax for creating the various data structures.

DATA(lo_result) = lo_client->createkeysigningkey(
  iv_callerreference = |string|
  iv_hostedzoneid = |string|
  iv_keymanagementservicearn = |string|
  iv_name = |string|
  iv_status = |string|
).

This is an example of reading all possible response values

lo_result = lo_result.
IF lo_result IS NOT INITIAL.
  lo_changeinfo = lo_result->get_changeinfo( ).
  IF lo_changeinfo IS NOT INITIAL.
    lv_resourceid = lo_changeinfo->get_id( ).
    lv_changestatus = lo_changeinfo->get_status( ).
    lv_timestamp = lo_changeinfo->get_submittedat( ).
    lv_resourcedescription = lo_changeinfo->get_comment( ).
  ENDIF.
  lo_keysigningkey = lo_result->get_keysigningkey( ).
  IF lo_keysigningkey IS NOT INITIAL.
    lv_signingkeyname = lo_keysigningkey->get_name( ).
    lv_signingkeystring = lo_keysigningkey->get_kmsarn( ).
    lv_signingkeyinteger = lo_keysigningkey->get_flag( ).
    lv_signingkeystring = lo_keysigningkey->get_signingalgorithmmnemonic( ).
    lv_signingkeyinteger = lo_keysigningkey->get_signingalgorithmtype( ).
    lv_signingkeystring = lo_keysigningkey->get_digestalgorithmmnemonic( ).
    lv_signingkeyinteger = lo_keysigningkey->get_digestalgorithmtype( ).
    lv_signingkeytag = lo_keysigningkey->get_keytag( ).
    lv_signingkeystring = lo_keysigningkey->get_digestvalue( ).
    lv_signingkeystring = lo_keysigningkey->get_publickey( ).
    lv_signingkeystring = lo_keysigningkey->get_dsrecord( ).
    lv_signingkeystring = lo_keysigningkey->get_dnskeyrecord( ).
    lv_signingkeystatus = lo_keysigningkey->get_status( ).
    lv_signingkeystatusmessage = lo_keysigningkey->get_statusmessage( ).
    lv_timestamp = lo_keysigningkey->get_createddate( ).
    lv_timestamp = lo_keysigningkey->get_lastmodifieddate( ).
  ENDIF.
  lv_resourceuri = lo_result->get_location( ).
ENDIF.