How do I Delegate a subdomain to Route53
Solution 1
It appears that I had some other errors in my starshine.org zone file which was causing my starshine.org name server to give me the SERVFAIL responses. I guess it was also giving cached responses from the secondaries and the errors weren't obvious in my logs.
What did work was installing the nslint package (Debian) ... running it and walking over each error, fixing it, until the error went away.
In this case the delegation works with just the "glue" records in my zone file ... and I'm not attempting to slave nor even define forwarders in my named.conf.
Solution 2
It looks like you're trying to set up a zone transfer which you can't do, as ChrisV said.
To do a delegation for a sub domain you need only create NS records for the sub in the parent's zone.
So in starshine.org's zonefile:
aws IN NS ns-1494.awsdns-58.org.
aws IN NS ns-773.awsdns-32.net.
aws IN NS ns-1751.awsdns-26.co.uk.
aws IN NS ns-111.awsdns-13.com.
Then you define all your records for the aws.starshine.org. zone in the route 53 name servers.
Related videos on Youtube
06 : 01
06 : 01
18 : 38
03 : 34
07 : 07
Jim Dennis
Mostly an "ops" guy. I do devops as much as "devops" is something one does. :) I mostly work with [bash] and [Python]. I sometimes help with FreeCodeCamp and similar projects and I answer too many questions on Quora. I'm also an occasional contributor to Wikipedia (and other Wikimedia projects).
Updated on September 18, 2022Comments
-
Jim Dennis almost 2 years
I have a domain hosted on my own linode under bind9 I also have a VPC in AWS and I want to maintain a DNS subdomain under Route53. I tried following the instructions at: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/MigratingSubdomain.html
Made the following changes to my /etc/bind9/named.conf:
zone "aws.starshine.org" { type slave; file "/var/lib/bind/aws.starshine.org"; masters { 205.251.197.214; 205.251.195.5; 205.251.198.215; 205.251.192.111; }; };The IP addresses there were gathered from this:
for i in "ns-1494.awsdns-58.org" "ns-773.awsdns-32.net" "ns-1751.awsdns-26.co.uk" "ns-111.awsdns-13.com"; do echo -en "$i\t"; dig +short "$i"; done... and those names were pasted from the output from this command:
aws route53 get-hosted-zone --id /hostedzone/Z24Z8xxxxxxxINIf I run commands like: dig aws.starshine.org. @ns-111.awsdns-13.com I see the SOA record. If I add ns I see the Amazon NS records. But if I query through normal NDS or through my own authoritative DNS server for starshine.org I don't see the delegation.
Here's what I get from a couple of those dig commands:
dig aws.starshine.org @ns.starshine.org. ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> aws.starshine.org @ns.starshine.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49466 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;aws.starshine.org. IN A apogee:/var/lib/bind# dig aws.starshine.org ;; ... ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41291 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;aws.starshine.org. IN A ;; AUTHORITY SECTION: starshine.org. 200 IN SOA ns1.starshine.org. hostmaster.starshine.org. 2014091602 2000 1000 691200 600I don't understand why I'm getting NXDOMAIN and SERVFAIL in these cases. I've completely restarted my BIND server processes (/etc/init.d/bind9 restart).
I see the following in my logs:
Nov 23 05:26:26 apogee named[1438]: zone aws.starshine.org/IN/internal-in: Transfer started. Nov 23 05:26:27 apogee last message repeated 2 timesSo, what am I doing wrong in my delegation? Do I need to enable something on the AWS Route53 side? It's showing me an SOA and NS records (and one A record that I've added and can query just find.
(Setting my resolv.conf (on my nodes in the VPC for example) to point at the AWS DNS name servers does allow me to see the subdomain as one would expect. (However that breaks all other DNS with messages about: Status: REFUSED and WARNING: recursion requested but not available.
I forgot to mention it in my earlier post, but I did also had IN NS "glue" records to my starshine.org zone file like so:
;; GLUE for aws.starshine.org hosted in AWS: aws.starshine.org. IN NS ns-1494.awsdns-58.org. IN NS ns-773.awsdns-32.net. IN NS ns-1751.awsdns-26.co.uk. IN NS ns-111.awsdns-13.com. ns-1494.awsdns-58.org. IN A 205.251.197.214 ns-773.awsdns-32.net. IN A 205.251.195.5 ns-1751.awsdns-26.co.uk. IN A 205.251.198.215 ns-111.awsdns-13.com. IN A 205.251.192.111I also tried adding a list of forwarders to my named.conf:
zone "aws.starshine.org" { type forward; forwarders { 205.251.197.214; 205.251.195.5; 205.251.198.215; 205.251.192.111; }; };-
Admin over 9 yearsDon't think its possible to do zone transfers from Route53. forums.aws.amazon.com/thread.jspa?threadID=88666 -
Jim Dennis over 9 yearsMadHatter: I do usually redact IP and domain information from most questions. But this involved public facing DNS ... so the information is public anyway.
-
-
briantist over 9 yearsBy the way I wrote this on my phone from memory, and may have messed up the BIND syntax, but the principle is the same. I'll check it when I get to a computer.
