---
title: Getting Started with Datadog
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog
---

# aws_route53_hosted_zone{% #aws_route53_hosted_zone %}

## `account_id`{% #account_id %}

**Type**: `STRING`

## `caller_reference`{% #caller_reference %}

**Type**: `STRING`**Provider name**: `CallerReference`**Description**: The value that you specified for `CallerReference` when you created the hosted zone.

## `config`{% #config %}

**Type**: `STRUCT`**Provider name**: `Config`**Description**: A complex type that includes the `Comment` and `PrivateZone` elements. If you omitted the `HostedZoneConfig` and `Comment` elements from the request, the `Config` and `Comment` elements don't appear in the response.

- `comment`**Type**: `STRING`**Provider name**: `Comment`**Description**: Any comments that you want to include about the hosted zone.
- `private_zone`**Type**: `BOOLEAN`**Provider name**: `PrivateZone`**Description**: A value that indicates whether this is a private hosted zone.

## `delegation_set`{% #delegation_set %}

**Type**: `STRUCT`**Provider name**: `DelegationSet`**Description**: A complex type that lists the Amazon Route 53 name servers for the specified hosted zone.

- `caller_reference`**Type**: `STRING`**Provider name**: `CallerReference`**Description**: The value that you specified for `CallerReference` when you created the reusable delegation set.
- `id`**Type**: `STRING`**Provider name**: `Id`**Description**: The ID that Amazon Route 53 assigns to a reusable delegation set.
- `name_servers`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `NameServers`**Description**: A complex type that contains a list of the authoritative name servers for a hosted zone or for a reusable delegation set.

## `dnssec`{% #dnssec %}

**Type**: `STRUCT`**Provider name**: `GetDNSSECResponse`

- `key_signing_keys`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `KeySigningKeys`**Description**: The key-signing keys (KSKs) in your account.
  - `created_date`**Type**: `TIMESTAMP`**Provider name**: `CreatedDate`**Description**: The date when the key-signing key (KSK) was created.
  - `digest_algorithm_mnemonic`**Type**: `STRING`**Provider name**: `DigestAlgorithmMnemonic`**Description**: A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by [RFC-8624 Section 3.3](https://tools.ietf.org/html/rfc8624#section-3.3).
  - `digest_algorithm_type`**Type**: `INT32`**Provider name**: `DigestAlgorithmType`**Description**: An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by [RFC-8624 Section 3.3](https://tools.ietf.org/html/rfc8624#section-3.3).
  - `digest_value`**Type**: `STRING`**Provider name**: `DigestValue`**Description**: A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
  - `dnskey_record`**Type**: `STRING`**Provider name**: `DNSKEYRecord`**Description**: A string that represents a DNSKEY record.
  - `ds_record`**Type**: `STRING`**Provider name**: `DSRecord`**Description**: A string that represents a delegation signer (DS) record.
  - `flag`**Type**: `INT32`**Provider name**: `Flag`**Description**: An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
  - `key_tag`**Type**: `INT32`**Provider name**: `KeyTag`**Description**: An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in [RFC-4034 Appendix B](https://tools.ietf.org/rfc/rfc4034.txt).
  - `kms_arn`**Type**: `STRING`**Provider name**: `KmsArn`**Description**: The Amazon resource name (ARN) used to identify the customer managed key in Key Management Service (KMS). The `KmsArn` must be unique for each key-signing key (KSK) in a single hosted zone. You must configure the customer managed key as follows:
    {% dl %}
    
    {% dt %}
Status
    {% /dt %}

    {% dd %}
Enabled
    {% /dd %}

    {% dt %}
Key spec
    {% /dt %}

    {% dd %}
ECC_NIST_P256
    {% /dd %}

    {% dt %}
Key usage
    {% /dt %}

    {% dd %}
Sign and verify
    {% /dd %}

    {% dt %}
Key policy
    {% /dt %}

    {% dd %}
    The key policy must give permission for the following actions:
    - DescribeKey
    - GetPublicKey
    - Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
    - `"Service": "dnssec-route53.amazonaws.com"`

        {% /dd %}

        {% /dl %}
For more information about working with the customer managed key in KMS, see [Key Management Service concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html).
  - `last_modified_date`**Type**: `TIMESTAMP`**Provider name**: `LastModifiedDate`**Description**: The last time that the key-signing key (KSK) was changed.
  - `name`**Type**: `STRING`**Provider name**: `Name`**Description**: A string used to identify a key-signing key (KSK). `Name` can include numbers, letters, and underscores (_). `Name` must be unique for each key-signing key in the same hosted zone.
  - `public_key`**Type**: `STRING`**Provider name**: `PublicKey`**Description**: The public key, represented as a Base64 encoding, as required by [RFC-4034 Page 5](https://tools.ietf.org/rfc/rfc4034.txt).
  - `signing_algorithm_mnemonic`**Type**: `STRING`**Provider name**: `SigningAlgorithmMnemonic`**Description**: A string used to represent the signing algorithm. This value must follow the guidelines provided by [RFC-8624 Section 3.1](https://tools.ietf.org/html/rfc8624#section-3.1).
  - `signing_algorithm_type`**Type**: `INT32`**Provider name**: `SigningAlgorithmType`**Description**: An integer used to represent the signing algorithm. This value must follow the guidelines provided by [RFC-8624 Section 3.1](https://tools.ietf.org/html/rfc8624#section-3.1).
  - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: A string that represents the current key-signing key (KSK) status. Status can have one of the following values:
    {% dl %}
    
    {% dt %}
ACTIVE
    {% /dt %}

    {% dd %}
The KSK is being used for signing.
    {% /dd %}

    {% dt %}
INACTIVE
    {% /dt %}

    {% dd %}
The KSK is not being used for signing.
    {% /dd %}

    {% dt %}
DELETING
    {% /dt %}

    {% dd %}
The KSK is in the process of being deleted.
    {% /dd %}

    {% dt %}
ACTION_NEEDED
    {% /dt %}

    {% dd %}
There is a problem with the KSK that requires you to take action to resolve. For example, the customer managed key might have been deleted, or the permissions for the customer managed key might have been changed.
    {% /dd %}

    {% dt %}
INTERNAL_FAILURE
    {% /dt %}

    {% dd %}
There was an error during a request. Before you can continue to work with DNSSEC signing, including actions that involve this KSK, you must correct the problem. For example, you may need to activate or deactivate the KSK.
    {% /dd %}

        {% /dl %}
  - `status_message`**Type**: `STRING`**Provider name**: `StatusMessage`**Description**: The status message provided for the following key-signing key (KSK) statuses: `ACTION_NEEDED` or `INTERNAL_FAILURE`. The status message includes information about what the problem might be and steps that you can take to correct the issue.
- `status`**Type**: `STRUCT`**Provider name**: `Status`**Description**: A string representing the status of DNSSEC.
  - `serve_signature`**Type**: `STRING`**Provider name**: `ServeSignature`**Description**: A string that represents the current hosted zone signing status. Status can have one of the following values:
    {% dl %}
    
    {% dt %}
SIGNING
    {% /dt %}

    {% dd %}
DNSSEC signing is enabled for the hosted zone.
    {% /dd %}

    {% dt %}
NOT_SIGNING
    {% /dt %}

    {% dd %}
DNSSEC signing is not enabled for the hosted zone.
    {% /dd %}

    {% dt %}
DELETING
    {% /dt %}

    {% dd %}
DNSSEC signing is in the process of being removed for the hosted zone.
    {% /dd %}

    {% dt %}
ACTION_NEEDED
    {% /dt %}

    {% dd %}
There is a problem with signing in the hosted zone that requires you to take action to resolve. For example, the customer managed key might have been deleted, or the permissions for the customer managed key might have been changed.
    {% /dd %}

    {% dt %}
INTERNAL_FAILURE
    {% /dt %}

    {% dd %}
There was an error during a request. Before you can continue to work with DNSSEC signing, including with key-signing keys (KSKs), you must correct the problem by enabling or disabling DNSSEC signing for the hosted zone.
    {% /dd %}

        {% /dl %}
  - `status_message`**Type**: `STRING`**Provider name**: `StatusMessage`**Description**: The status message provided for the following DNSSEC signing status: `INTERNAL_FAILURE`. The status message includes information about what the problem might be and steps that you can take to correct the issue.

## `hosted_zone_arn`{% #hosted_zone_arn %}

**Type**: `STRING`

## `id`{% #id %}

**Type**: `STRING`**Provider name**: `Id`**Description**: The ID that Amazon Route 53 assigned to the hosted zone when you created it.

## `linked_service`{% #linked_service %}

**Type**: `STRUCT`**Provider name**: `LinkedService`**Description**: If the hosted zone was created by another service, the service that created the hosted zone. When a hosted zone is created by another service, you can't edit or delete it using Route 53.

- `description`**Type**: `STRING`**Provider name**: `Description`**Description**: If the health check or hosted zone was created by another service, an optional description that can be provided by the other service. When a resource is created by another service, you can't edit or delete it using Amazon Route 53.
- `service_principal`**Type**: `STRING`**Provider name**: `ServicePrincipal`**Description**: If the health check or hosted zone was created by another service, the service that created the resource. When a resource is created by another service, you can't edit or delete it using Amazon Route 53.

## `name`{% #name %}

**Type**: `STRING`**Provider name**: `Name`**Description**: The name of the domain. For public hosted zones, this is the name that you have registered with your DNS registrar. For information about how to specify characters other than `a-z`, `0-9`, and `-` (hyphen) and how to specify internationalized domain names, see [CreateHostedZone](https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateHostedZone.html).

## `resource_record_set_count`{% #resource_record_set_count %}

**Type**: `INT64`**Provider name**: `ResourceRecordSetCount`**Description**: The number of resource record sets in the hosted zone.

## `tags`{% #tags %}

**Type**: `UNORDERED_LIST_STRING`

## `vpcs`{% #vpcs %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `VPCs`**Description**: A complex type that contains information about the VPCs that are associated with the specified hosted zone.

- `vpc_id`**Type**: `STRING`**Provider name**: `VPCId`
- `vpc_region`**Type**: `STRING`**Provider name**: `VPCRegion`**Description**: (Private hosted zones only) The region that an Amazon VPC was created in.