When managing multiple AWS accounts with separate Route 53 hosted zones, proper DNS delegation becomes critical. The scenario involves:
- Master account controlling
example.comzone - Secondary account managing
testing.example.comsubdomain - Need to maintain identical record structures across environments
The solution lies in creating proper NS (Name Server) records in the parent zone. Here's the technical breakdown:
# In master account's example.com zone:
testing.example.com. NS ns-1234.awsdns-45.org.
testing.example.com. NS ns-5678.awsdns-89.co.uk.
testing.example.com. NS ns-9012.awsdns-12.net.
testing.example.com. NS ns-3456.awsdns-34.com.
1. Retrieve Child Account Name Servers
In the child account's Route 53 console:
- Navigate to Hosted Zones
- Select testing.example.com
- Note the 4 NS records assigned by AWS
2. Create NS Record in Parent Account
Using AWS CLI:
aws route53 change-resource-record-sets \
--hosted-zone-id Z1EXAMPLE \
--change-batch '{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "testing.example.com.",
"Type": "NS",
"TTL": 172800,
"ResourceRecords": [
{"Value": "ns-1234.awsdns-45.org."},
{"Value": "ns-5678.awsdns-89.co.uk."},
{"Value": "ns-9012.awsdns-12.net."},
{"Value": "ns-3456.awsdns-34.com."}
]
}
}]
}'
For infrastructure-as-code implementation:
Resources:
SubdomainDelegation:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref ParentHostedZone
Name: testing.example.com.
Type: NS
TTL: '172800'
ResourceRecords:
- ns-1234.awsdns-45.org.
- ns-5678.awsdns-89.co.uk.
- ns-9012.awsdns-12.net.
- ns-3456.awsdns-34.com.
Use dig to validate delegation:
dig +trace testing.example.com NS
Expected output should show the NS records pointing to the child account's name servers.
- Forgetting the trailing dot in DNS records
- TTL values causing delayed propagation
- Case sensitivity in record names
- Incorrect IAM permissions between accounts
When managing multiple AWS environments (production/test/staging), a common pattern is having separate AWS accounts for each environment while maintaining a unified parent domain. The key requirement is delegating control of subdomains (testing.example.com) to different AWS accounts without modifying the parent Hosted Zone configuration.
Here's the correct sequence for delegating testing.example.com to Account B while keeping example.com in Account A:
# In Account B (testing account):
1. Create Hosted Zone for testing.example.com
2. Note the 4 NS records automatically generated by Route 53
# Example NS records:
ns-1234.awsdns-45.org
ns-5678.awsdns-01.co.uk
ns-9012.awsdns-67.net
ns-3456.awsdns-89.comIn Account A's Hosted Zone for example.com, create an NS record:
{
"Comment": "Delegate testing subdomain to Account B",
"Changes": [
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "testing.example.com",
"Type": "NS",
"TTL": 172800,
"ResourceRecords": [
{"Value": "ns-1234.awsdns-45.org"},
{"Value": "ns-5678.awsdns-01.co.uk"},
{"Value": "ns-9012.awsdns-67.net"},
{"Value": "ns-3456.awsdns-89.com"}
]
}
}
]
}For infrastructure-as-code implementations, here's a CloudFormation snippet for the parent account:
Resources:
TestingSubdomainNS:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneName: example.com.
Name: testing.example.com
Type: NS
TTL: '172800'
ResourceRecords:
- ns-1234.awsdns-45.org
- ns-5678.awsdns-01.co.uk
- ns-9012.awsdns-67.net
- ns-3456.awsdns-89.comIf resolution fails, verify:
- All 4 NS records are correctly entered in the parent zone
- No trailing dots in record values
- TTL has propagated (up to 48 hours)
- No conflicting records in either zone
For production environments, implement these additional measures:
- Use AWS Organizations SCPs to prevent accidental zone modifications
- Enable Route 53 DNSSEC for both zones
- Configure cross-account IAM roles for management
The same pattern works for deeper hierarchies. For dev.testing.example.com delegation:
- Create zone in third AWS account
- Add NS records for
dev.testing.example.comin Account B's zone