Verify your domain with an X.509 certificate Verify your domain with a DNS TXT record

Verify domain control

Before you bring an IP address range to Amazon, you have to use one of the options described in this section to verify that you control the IP address space. Later, when you bring the IP address range to Amazon, Amazon validates that you control the IP address range. This validation ensures that customers cannot use IP ranges belonging to others, preventing routing and security issues.

There are two methods that you can use to verify that you control the range:

X.509 certificate: If your IP address range is registered with an Internet Registry that supports RDAP (such as ARIN, RIPE and APNIC), you can use an X.509 certificate to verify ownership of your domain.
DNS TXT record: Regardless of whether your Internet Registry supports RDAP, you can use a verification token and a DNS TXT record to verify ownership of your domain.

Verify your domain with an X.509 certificate
Verify your domain with a DNS TXT record

Verify your domain with an X.509 certificate

This section describes how to verify your domain with an X.509 certificate before you bring your IP address range to IPAM.

To verify your domain with an X.509 certificate

Complete the three steps in Onboarding prerequisites for your BYOIP address range in the Amazon EC2 User Guide.

Note
When you create the ROAs, for IPv4 CIDRs you must set the maximum length of an IP address prefix to /24. For IPv6 CIDRs, if you are adding them to an advertisable pool, the maximum length of an IP address prefix must be /48. This ensures that you have full flexibility to divide your public IP address across Amazon Regions. IPAM enforces the maximum length you set. The maximum length is the smallest prefix length announcement you will allow for this route. For example, if you bring a /20 CIDR block to Amazon, by setting the maximum length to /24, you can divide the larger block any way you like (such as with /21, /22, or /24) and distribute those smaller CIDR blocks to any Region. If you were to set the maximum length to /23, you would not be able to divide and advertise a /24 from the larger block. Also, note that /24 is the smallest IPv4 block and /48 is the smallest IPv6 block you can advertise from a Region to the internet.
Complete steps 1 and 2 only under Provision a publicly advertisable address range in Amazon in the Amazon EC2 User Guide, and don't provision the address range (step 3) yet. Save the text_message and signed_message. You'll need them later in this process.

When you've completed these steps, continue with Bring your own public IPv4 CIDR to IPAM using both the Amazon Management Console and the Amazon CLI or Bring your own public IPv4 CIDR to IPAM using only the Amazon CLI.

Verify your domain with a DNS TXT record

Complete the steps in this section to verify your domain with a DNS TXT record before you bring your IP address range to IPAM.

You can use DNS TXT records to validate that you control a public IP address range. DNS TXT records are a type of DNS record that contain information about your domain name. This feature enables you to bring IP addresses registered with any internet registry (such as JPNIC, LACNIC, and AFRINIC), not just those that support RDAP (Registration Data Access Protocol) record-based validations (such as ARIN, RIPE and APNIC).

Important

Before you can continue, you must have already created an IPAM in the Free or Advanced Tier. If you don’t have an IPAM, complete Create an IPAM first.

Step 1: Create a ROA if you don't have one
Step 2. Create a verification token
Step 3. Set up the DNS zone and TXT record

Step 1: Create a ROA if you don't have one

You must have a Route Origin Authorization (ROA) in your Regional Internet Registry (RIR) for IP address ranges you wish to advertise. If you don’t have a ROA in your RIR, complete 3. Create a ROA object in your RIR in the Amazon EC2 User Guide. Ignore the other steps.

The most specific IPv4 address range that you can bring is /24. The most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable.

Step 2. Create a verification token

A verification token is an Amazon-generated random value that you can use to prove control of an external resource. For example, you can use a verification token to validate that you control a public IP address range when you bring an IP address range to Amazon (BYOIP).

Complete the steps in this section to create a verification token which you'll need in a later step in this tutorial to bring your IP address range to IPAM. Use the instructions below for either the Amazon console or the Amazon CLI.

Amazon Management Console

To create a verification token

Open the IPAM console at https://console.amazonaws.cn/ipam/.
In the Amazon Management Console, choose the Amazon Region where you created your IPAM.
In the left navigation pane, choose IPAMs.
Choose your IPAM and then choose the Verification tokens tab.
Select Create verification token.
After you create the token, leave this browser tab open. You’ll need the Token value, Token name in the next step and the Token ID in a later step.

Note the following:

Once you create a verification token, you can reuse the token for multiple BYOIP CIDRs that you provision from your IPAM within 72 hours. If you want to provision more CIDRs after 72 hours, you need a new token.
You can create up to 100 tokens. If you reach the limit, delete expired tokens.

Command line

Request that IPAM creates a verification token that you will use for the DNS configuration with create-ipam-external-resource-verification-token:


aws ec2 create-ipam-external-resource-verification-token --ipam-id ipam-id

This will return an IpamExternalResourceVerificationTokenId and token with TokenName and TokenValue, and the expiration time (NotAfter) of the token.


{ 
    "IpamExternalResourceVerificationToken": { 
        "IpamExternalResourceVerificationTokenId": "ipam-ext-res-ver-token-0309ce7f67a768cf0", 
        "IpamId": "ipam-0f9e8725ac3ae5754", 
        "TokenValue": "a34597c3-5317-4238-9ce7-50da5b6e6dc8", 
        "TokenName": "86950620", 
        "NotAfter": "2024-05-19T14:28:15.927000+00:00", 
        "Status": "valid", 
        "Tags": [], 
        "State": "create-in-progress" }
}

Note the following:

Once you create a verification token, you can reuse the token for multiple BYOIP CIDRs that you provision from your IPAM within 72 hours. If you want to provision more CIDRs after 72 hours, you need a new token.
You can view your tokens using describe-ipam-external-resource-verification-tokens.
You can create up to 100 tokens. If you reach the limit, you can delete expired tokens using delete-ipam-external-resource-verification-token.

Step 3. Set up the DNS zone and TXT record

Complete the steps in this section to set up the DNS zone and TXT record. If you are not using Route53 as your DNS, then follow the documentation provided by your DNS provider to set up a DNS Zone and add a TXT record.

If you are using Route53, note the following:

To create a Reverse Lookup Zone in the Amazon console, see Creating a public hosted zone in the Amazon Route 53 Developer Guide or use the Amazon CLI command create-hosted-zone.
To create a record in the Reverse Lookup Zone in the Amazon console, see Creating records by using the Amazon Route 53 console in the Amazon Route 53 Developer Guide or use the Amazon CLI command change-resource-record-sets.
After you are done creating your hosted zone, delegate the hosted zone from your RIR to the name servers provided by Route53 (such as for LACNIC or APNIC).

Whether you are using another DNS provider or Route53, when you set up the TXT record, note the following:

Record name should be your token name.
Record type should be TXT.
ResourceRecord Value should be the token value.

Example:

Name: 86950620.113.0.203.in-addr.arpa
Type: TXT
ResourceRecords Value: a34597c3-5317-4238-9ce7-50da5b6e6dc8

Where:

86950620 is the verification token name.
113.0.203.in-addr.arpa is the Reverse Lookup Zone name.
TXT is the record type.
a34597c3-5317-4238-9ce7-50da5b6e6dc8 is the verification token value.

Note

Depending on the size of the prefix to be brought to IPAM with BYOIP, one or more authentication records must be created in the DNS. These authentication records are of the record type TXT and must be placed into the reverse zone of the prefix itself or its parent prefix.

For IPv4, authentication records need to align to ranges at an octet boundary that make up the prefix.
- Examples
- For 198.18.123.0/24, which is already aligned at an octet boundary, you would need to create a single authentication record at:
  - token-name.123.18.198.in-addr.arpa. IN TXT “token-value”
- For 198.18.12.0/22, which itself is not aligned to octet boundary, you would need to create four authentication records. These records must cover the subnets 198.18.12.0/24, 198.18.13.0/24, 198.18.14.0/24, and 198.18.15.0/24 which are aligned at an octet boundary. The corresponding DNS entries must be:
  - token-name.12.18.198.in-addr.arpa. IN TXT “token-value”
  - token-name.13.18.198.in-addr.arpa. IN TXT “token-value”
  - token-name.14.18.198.in-addr.arpa. IN TXT “token-value”
  - token-name.15.18.198.in-addr.arpa. IN TXT “token-value”
- For 198.18.0.0/16, which is already aligned at an octet boundary, you need to create a single authentication record:
  - token-name.18.198.in-addr.arpa. IN TXT “token-value”
For IPv6, authentication records need to align to ranges at nibble boundary that make up the prefix. Valid nibble values are e.g. 32, 36, 40, 44, 48, 52, 56, and 60.
- Examples
  - For 2001:0db8::/40, which is already aligned at nibble boundary, you need to create a single authentication record:
    
    token-name.0.0.8.b.d.0.1.0.0.2.ip6.arpa TXT “token-value”
  - For 2001:0db8:80::/42, which is itself not aligned at nibble boundary, you need to create four authentication records. These records must cover the subnets 2001:db8:80::/44, 2001:db8:90::/44, 2001:db8:a0::/44, and 2001:db8:b0::/44 which are aligned at a nibble boundary. The corresponding DNS entries must be:
    
    token-name.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa TXT “token-value”
    
    token-name.9.0.0.8.b.d.0.1.0.0.2.ip6.arpa TXT “token-value”
    
    token-name.a.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”
    
    token-name.b.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”
  - For the non-advertised range 2001:db8:0:1000::/54, which is itself not aligned at a nibble boundary, you need to create four authentication records. These records must cover the subnets 2001:db8:0:1000::/56, 2001:db8:0:1100::/56, 2001:db8:0:1200::/56, and 2001:db8:0:1300::/56 which are aligned at a nibble boundary. The corresponding DNS entries must be:
    
    token-name.0.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”
    
    token-name.1.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”
    
    token-name.2.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”
    
    token-name.3.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”
- To validate the correct number of hexadecimal numbers between the token-name and the "ip6.arpa" string, multiply the number by four. The result should match the prefix length. For example, for a /56 prefix you should have 14 hexadecimal digits.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Bring your IP addresses to IPAM

BYOIP with Amazon console and CLI

Verify domain control

Contents

Verify your domain with an X.509 certificate

To verify your domain with an X.509 certificate

Note

Verify your domain with a DNS TXT record

Important

Contents

Step 1: Create a ROA if you don't have one

Step 2. Create a verification token

To create a verification token

Step 3. Set up the DNS zone and TXT record

Note