Deletes a key-signing key (KSK). Before you can delete a KSK, you must deactivate it. The KSK must be deactivated before you can delete it regardless of whether the hosted zone is enabled for DNSSEC signing.

You can use DeactivateKeySigningKey to deactivate the key before you delete it.

Use GetDNSSEC to verify that the KSK is in an INACTIVE status.

See also: AWS API Documentation

Request Syntax

response = client.delete_key_signing_key(
  • HostedZoneId (string) --


    A unique string used to identify a hosted zone.

  • Name (string) --


    A string used to identify a key-signing key (KSK).

Return type



Response Syntax

    'ChangeInfo': {
        'Id': 'string',
        'Status': 'PENDING'|'INSYNC',
        'SubmittedAt': datetime(2015, 1, 1),
        'Comment': 'string'

Response Structure

  • (dict) --

    • ChangeInfo (dict) --

      A complex type that describes change information about changes made to your hosted zone.

      • Id (string) --

        This element contains an ID that you use when performing a GetChange action to get detailed information about the change.

      • Status (string) --

        The current state of the request. PENDING indicates that this request has not yet been applied to all Amazon Route 53 DNS servers.

      • SubmittedAt (datetime) --

        The date and time that the change request was submitted in ISO 8601 format and Coordinated Universal Time (UTC). For example, the value 2017-03-27T17:48:16.751Z represents March 27, 2017 at 17:48:16.751 UTC.

      • Comment (string) --

        A comment you can provide.


  • Route53.Client.exceptions.ConcurrentModification
  • Route53.Client.exceptions.NoSuchKeySigningKey
  • Route53.Client.exceptions.InvalidKeySigningKeyStatus
  • Route53.Client.exceptions.InvalidSigningStatus
  • Route53.Client.exceptions.InvalidKMSArn
  • Route53.Client.exceptions.InvalidInput