DNSSEC (Domain Name System Security Extensions) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections, but it prevents attackers from manipulating or poisoning the responses to DNS requests. DNSSEC uses a system of public key cryptography to sign DNS records. There are two types of keys used in DNSSEC: the Zone Signing Key (ZSK) and the Key Signing Key (KSK). The ZSK is used to sign the DNS records in the zone, while the KSK is used to sign the DNSKEY records, which include the ZSK. In the context of Amazon Route 53, AWS manages the rotation of the ZSK, ensuring that the DNS records are signed with the most current key. However, the responsibility for rotating the KSK lies with the domain owner (the company). This is because the KSK is used to sign the DNSKEY records, and its public part is distributed as part of the DS record in the parent zone, which requires manual intervention to update. Therefore, the correct explanation is that AWS rotates the zone-signing key (ZSK), and the company rotates the key-signing key (KSK).