45

I have two AWS accounts. The master account with example.com as a Hosted Zone, this then has a number of record sets (i.e. api.example.com and kibana.example.com).

A second account will be managing testing.example.com as a Hosted Zone, with the same set of record sets (i.e. api.testing.example.com and kibana.testing.example.com).

How to I tell the master account to refer requests for .testing.example.com down to the child account. I don't want to change the master account as I want to use the same Cloud Formation templates in both 'Live' and 'Test'.

I've set the two up as above and it does not work (api.testing.example.com does not resolve). I've also tried setting the testing.example.com ns record in the master account to the one specified in the child account(1). Alas this is not something I've done before and Google searches are not returning anything.

1) I messed this up, and this is the answer. See below.

mlk
  • 561
  • 4
    Would the down voter kindly explain why? If the question is of-topic that is fine, I'll delete. But down voting and running tells me nothing. – mlk Nov 29 '16 at 12:57
  • 1
    You could try this and work out the answer yourself in about ten minutes. I suspect the answer is yes, because you can add subdomains to Route 53. I suspect this is why you were downvoted. – Tim Nov 29 '16 at 19:02
  • 3
    Try what? I've done the above and it does not work. – mlk Nov 29 '16 at 19:13
  • Does the master account have example.com or *.example.com as the zone? I don't think you can have *.example.com as a zone name, can you? Can you give us the actual FQDNs in play? – ceejayoz Nov 29 '16 at 19:23
  • Do dig ns testing.example.com and confirm that the set of nameservers is that of the child account's zone. Then, dig @one.of.those.nameservers api.testing.example.com and evaluate the output. – ceejayoz Nov 29 '16 at 20:29
  • Is your testing.example.com is internet facing? I mean publicly accessible. Or it is accessible only on VPN for just for internal testing. – Shailesh Sutar Nov 29 '16 at 21:13

3 Answers3

55

How to I tell the master account to push requests for .testing.example.com down to the child account.

The requests are referred, not pushed, but you can achieve the desired outcome by delegating the subdomain to a different set of Route 53 servers from those that host the parent zone.

Look at the new hosted zone you created for testing.example.com. This can be in the same AWS account, a different AWS account... any AWS account. There's nothing here that is "account" related. This uses standard DNS configuration. The whole of DNS is a hierarchy. The global root can tell you where to find com, and the com servers can tell you where to find example.com, and it's nothing materially different for example.com to tell you where to find testing.example.com instead of giving you a direct answer.

Note the 4 name servers that Route 53 assigned to the testing.example.com hosted zone. Verify that they are all different than the ones assigned to the example.com hosted zone. (For any of them to be the same should be impossible, but verify this.)

Now, back in the example.com zone, create a new resource record, with hostname testing, using record type NS, and enter the 4 name servers that Route 53 assigned to testing.example.com, in the box below.

Now, when a request for testing.example.com and anything below it arrives at one of the Route 53 servers handling example.com, the reply will not be the answer from testing.example.com -- the reply will provide the requester with the 4 NS records associated with testing.example.com and an answer equivalent to "I don't know, but try asking one of these guys."

That's how it's done.

Michael - sqlbot
  • 22,984
  • Thank you. I have done that (added testing.example.com record in the master account with the value of NS in the child account), however it does not work (i.e. nslookup kibana.example.com works as expected, but `nslookup kibana.testing.example.com Server: 8.8.8.8 Address: 8.8.8.8#53

    ** server can't find kibana.testing.example.com: NXDOMAIN`)

     – mlk Nov 30 '16 at 14:36
  • @mlk What does dig ns testing.example.com output? – ceejayoz Nov 30 '16 at 15:11
  • 1
    I take it back, I messed up the copy and paste of NSs. Deleted the record and recreated, now NS lookup is working. – mlk Nov 30 '16 at 15:13
  • 8
    Man, this is the best cleanest answer on the topic I found so far. Thank you so much! – demisx May 21 '19 at 00:14
  • This is covered in Route 53 docs. – RH Becker Jul 20 '20 at 06:26
0

Here is the process which has been mentioned in AWS for the same :

Routing traffic for subdomains - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-routing-traffic-for-subdomains.html

Keval Sheth
  • 1
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - From Review – Dave M Jan 26 '22 at 15:51
0

I think You need to create testing.example.com record in main account(Parent) under example.com domain. And if you are using ELB, copy ELB endpoint for testing of child account or may be Public IP assigned for testing domain in your child account and update it in parent account route 53. I think ELB endpoint would make it easy to resolve address rather than using dedicated Elastic IP. You'd also need to create all the sub domains of testing in parent account. I'd suggest to use ELB endpoints in child account for all the subdomains of testing site. Please make sure that all the ELB endpoint must be having scheme as internet-facing in aws console.

Shailesh Sutar
  • 1,567
  • 4
    ELB doesn't have anything to do with this, and nameserver delegation via NS records allows the subdomains of testing to be created in the child account if set up properly. – ceejayoz Nov 30 '16 at 15:11