feat(route53): DNSSEC zone signing (#28604)

This makes it possible to enable DNSSEC signing for a Route 53 hosted zone. A new `KeySigningKey` construct is created to enable generally creating KSKs. Additionally, an `enableDnssec` method is added to `HostedZone` that provides an easier interface. The later will create the KSK and further create the necessary `AWS::Route53::DNSSEC` resource to actually enable signing on the resource.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.dnssec.js.snapshot/aws-cdk-route53-dnssec.template.json

@@ -0,0 +1,152 @@
+{
+ "Resources": {
+  "KmsKskBaseF6291F14": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      },
+      {
+       "Action": [
+        "kms:DescribeKey",
+        "kms:GetPublicKey",
+        "kms:Sign"
+       ],
+       "Condition": {
+        "ArnEquals": {
+         "aws:SourceArn": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":route53:::hostedzone/",
+            {
+             "Ref": "HostedZoneDB99F866"
+            }
+           ]
+          ]
+         }
+        }
+       },
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "dnssec-route53.amazonaws.com"
+       },
+       "Resource": "*"
+      },
+      {
+       "Action": "kms:CreateGrant",
+       "Condition": {
+        "Bool": {
+         "kms:GrantIsForAWSResource": true
+        }
+       },
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "dnssec-route53.amazonaws.com"
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "KeySpec": "ECC_NIST_P256",
+    "KeyUsage": "SIGN_VERIFY"
+   },
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
+  },
+  "HostedZoneDB99F866": {
+   "Type": "AWS::Route53::HostedZone",
+   "Properties": {
+    "Name": "cdk.test."
+   }
+  },
+  "HostedZoneKeySigningKey3418AFB4": {
+   "Type": "AWS::Route53::KeySigningKey",
+   "Properties": {
+    "HostedZoneId": {
+     "Ref": "HostedZoneDB99F866"
+    },
+    "KeyManagementServiceArn": {
+     "Fn::GetAtt": [
+      "KmsKskBaseF6291F14",
+      "Arn"
+     ]
+    },
+    "Name": "awscdkroute53dnssecHostedZoneKeySigningKeyEE4B885F",
+    "Status": "ACTIVE"
+   }
+  },
+  "HostedZoneDNSSEC79297416": {
+   "Type": "AWS::Route53::DNSSEC",
+   "Properties": {
+    "HostedZoneId": {
+     "Ref": "HostedZoneDB99F866"
+    }
+   },
+   "DependsOn": [
+    "HostedZoneKeySigningKey3418AFB4"
+   ]
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}