How to delegate DNS for subdomains to a different Route53 HostedZone

A common practice for multi-environment web apps/API applications is to use the "stage" (environment) name inside the URL, e.g. `app.dev.exampleapp.com` or `app.test.exampleapp.com`. If you are using [[AWS Route53|Route53]] and following the guideline that [[Distinct product environments should be isolated within their own AWS account]], you will need to set up multiple HostedZones in different accounts and delegate between them to achieve this. We'll walk through how to do that here. The key piece to delegating DNS is the **NS** record: > An NS record delegates a subdomain to a set of name servers ## HostedZones per AWS Account In a multi-account setup, here's how each HostedZone could be created in each account: | AWS Account| HostedZone Name | |- |- | | `tools` | `exampleapp.com` | | `dev` | `dev.exampleapp.com` | | `test` | `test.exampleapp.com` | | `prod` | `prod.exampleapp.com` | ## Create root HostedZone The first step is to create a zone for the root domain `exampleapp.com`. This is often performed in a shared "tools" AWS account that isn't specific to any stage. You can perform this step using the AWS Console. Follow these instructions to [configure Route53 as your DNS service](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html) for the root zone. ## Create HostedZones for each subdomain Now create HostedZones for each subdomain you wish to delegate to. If you wish to create the child HostedZones along with associated ACM SSL certificates using [[Infrastructure-as-Code]], check out [[How to configure environment-specific DNS and SSL certificates in AWS using IaC]]. If not, you can manually create each HostedZone by logging into the AWS Console for each account and creating a hosted zone with name matching your subdomain. Once you've created each child zone, note down the value of the `NS` record that Route53 auto-creates inside the new zone. ## Delegating from root to child HostedZones Log into the AWS Console in the account where your root HostedZone is located. Within the root HostedZone, create a new `NS` record whose key ("Record name") is the subdomain and whose value is that which you noted down in the previous section: ![[Route53CreateNSRecord.png]] ## Testing the results You can use the `dig` CLI tool or [Google's web app equivalent](https://toolbox.googleapps.com/apps/dig/) in order to submit a DNS query for your subdomain. Make sure to set the DNS record type to `NS`. Verify that the "ANSWER" section in the response includes references to each of the domain servers for your ***child*** HostedZone and not those of the parent HostedZone. --- ## References - [What's an NS Record?](https://support.dnsimple.com/articles/ns-record/) by DNSimple.