Can different AWS accounts manage different subdomains?

domain-name-system amazon-web-services amazon-route53

9,972

How to I tell the master account to push requests for .testing.example.com down to the child account.

The requests are referred, not pushed, but you can achieve the desired outcome by delegating the subdomain to a different set of Route 53 servers from those that host the parent zone.

Look at the new hosted zone you created for testing.example.com. This can be in the same AWS account, a different AWS account... any AWS account. There's nothing here that is "account" related. This uses standard DNS configuration. The whole of DNS is a hierarchy. The global root can tell you where to find com, and the com servers can tell you where to find example.com, and it's nothing materially different for example.com to tell you where to find testing.example.com instead of giving you a direct answer.

Note the 4 name servers that Route 53 assigned to the testing.example.com hosted zone. Verify that they are all different than the ones assigned to the example.com hosted zone. (For any of them to be the same should be impossible, but verify this.)

Now, back in the example.com zone, create a new resource record, with hostname testing, using record type NS, and enter the 4 name servers that Route 53 assigned to testing.example.com, in the box below.

Now, when a request for testing.example.com and anything below it arrives at one of the Route 53 servers handling example.com, the reply will not be the answer from testing.example.com -- the reply will provide the requester with the 4 NS records associated with testing.example.com and an answer equivalent to "I don't know, but try asking one of these guys."

That's how it's done.

9,972

mlk

Updated on September 18, 2022

Comments

mlk over 1 year

I have two AWS accounts. The master account with example.com as a Hosted Zone, this then has a number of record sets (i.e. api.example.com and kibana.example.com).

A second account will be managing testing.example.com as a Hosted Zone, with the same set of record sets (i.e. api.testing.example.com and kibana.testing.example.com).

How to I tell the master account to refer requests for .testing.example.com down to the child account. I don't want to change the master account as I want to use the same Cloud Formation templates in both 'Live' and 'Test'.

I've set the two up as above and it does not work (api.testing.example.com does not resolve). I've also tried setting the testing.example.com ns record in the master account to the one specified in the child account(1). Alas this is not something I've done before and Google searches are not returning anything.

1) I messed this up, and this is the answer. See below.
- mlk over 7 years
  
  Would the down voter kindly explain why? If the question is of-topic that is fine, I'll delete. But down voting and running tells me nothing.
- Tim over 7 years
  
  You could try this and work out the answer yourself in about ten minutes. I suspect the answer is yes, because you can add subdomains to Route 53. I suspect this is why you were downvoted.
- mlk over 7 years
  
  Try what? I've done the above and it does not work.
- ceejayoz over 7 years
  
  Does the master account have example.com or *.example.com as the zone? I don't think you can have *.example.com as a zone name, can you? Can you give us the actual FQDNs in play?
- ceejayoz over 7 years
  
  Do dig ns testing.example.com and confirm that the set of nameservers is that of the child account's zone. Then, dig @one.of.those.nameservers api.testing.example.com and evaluate the output.
- Shailesh Sutar over 7 years
  
  Is your testing.example.com is internet facing? I mean publicly accessible. Or it is accessible only on VPN for just for internal testing.
mlk over 7 years

Thank you. I have done that (added testing.example.com record in the master account with the value of NS in the child account), however it does not work (i.e. nslookup kibana.example.com works as expected, but nslookup kibana.testing.example.com Server: 8.8.8.8 Address: 8.8.8.8#53 ** server can't find kibana.testing.example.com: NXDOMAIN)
ceejayoz over 7 years

ELB doesn't have anything to do with this, and nameserver delegation via NS records allows the subdomains of testing to be created in the child account if set up properly.
ceejayoz over 7 years

@mlk What does dig ns testing.example.com output?
mlk over 7 years

I take it back, I messed up the copy and paste of NSs. Deleted the record and recreated, now NS lookup is working.
demisx almost 5 years

Man, this is the best cleanest answer on the topic I found so far. Thank you so much!
RH Becker almost 4 years

This is covered in Route 53 docs.
Dave M over 2 years

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - From Review