How do I troubleshoot issues with hosted zones in Route 53 that have the same domain names in different AWS accounts?
How do I troubleshoot issues with hosted zones in Amazon Route 53 that have the same domain names in different AWS accounts?
Resolution
Public hosted zones with the same name in two accounts
You can create more than one hosted zone with the same name and add different records to each hosted zone. Route 53 assigns four name servers to every hosted zone, and the name servers are different for each hosted zone. When you update your registrar's name server records, be sure to use the Route 53 name servers for the appropriate hosted zone. You must use the hosted zone that contains the records that Route 53 should use when responding to queries for your domain. Route 53 won't return values for records in other hosted zones that have the same name.
For example:
In Account A, there's a hosted zone with the domain "101.example.com". Route 53 automatically assigned four name servers to the hosted zone:
- ns-1701.awsdns-20.co.uk.
- ns-487.awsdns-60.com.
- ns-1410.awsdns-48.org.
- ns-867.awsdns-44.net.
There's also a simple Type A record in Account A with the following details:
Record name | Type | Routing policy | Differentiator | Value/Route traffic to |
test1.101.example.com | A | Simple | - | 8.8.8.8 |
In Account B, there's a hosted zone with the same domain name ("101.example.com"). Route 53 automatically assigned four name servers to the hosted zone:
- ns-869.awsdns-44.net.
- ns-1332.awsdns-38.org.
- ns-61.awsdns-07.com.
- ns-1707.awsdns-21.co.uk.
This hosted zone also contains a simple Type A record with following details:
Record name | Type | Routing policy | Differentiator | Value/Route traffic to |
test2.101.example.com | A | Simple | - | 8.8.8.8 |
If the name servers for the domain (101.example.com) present in Account A are updated in Registrar while the name servers of the same domain (101.example.com) present in Account B are not added in Registrar, you get the following dig output:
- Dig output for Account A: NOERROR
# dig test1.101.example.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test1.101.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38973 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test1.101.example.com. IN A ;; ANSWER SECTION: test1.101.example.com. 300 IN A 8.8.8.8
- Dig output for Account B: NXDOMAIN
dig test2.101.example.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test2.101.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34489
Private hosted zones with the same name in two accounts
In Account A, consider a scenario where there's a private hosted zone ("example.com") in Account A associated with VPC-A. The private hosted zone contains a simple Type A record. In this scenario, the dig output of the resource record from an instance in VPC-A of Account A is NOERROR.
Record name | Type | Routing policy | Differentiator | Value/Route traffic to |
example.com | NS | Simple | - | ns-1536.awsdns-00.co.uk. ns-0.awsdns-00.com. ns-1024.awsdns-00.org. ns-512.awsdns-00.net |
example.com | SOA | Simple | - | ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 |
test1.example.com | A | Simple | - | 1.1.1.1 |
- Dig output for Account A: NOERROR
# dig test1.example.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test1.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45251 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test1.example.com. IN A ;; ANSWER SECTION: test1.example.com. 60 IN A 1.1.1.1
In Account B, there's another private hosted zone with the same name ("example.com") associated with VPC-B of Account B. This private hosted zone contains a simple Type A record. The dig output of the resource record from an instance in VPC-B of Account B is NOERROR.
Record name | Type | Routing policy | Differentiator | Value/Route traffic to |
example.com | NS | Simple | - | ns-1536.awsdns-00.co.uk. ns-0.awsdns-00.com. ns-1024.awsdns-00.org. ns-512.awsdns-00.net. |
example.com | SOA | Simple | - | ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 |
test2.example.com | A | Simple | - | 2.2.2.2 |
- Dig output for Account B: NOERROR
# dig test2.example.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test2.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5377 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test2.example.com. IN A ;; ANSWER SECTION: test2.example.com. 60 IN A 2.2.2.2
Note: The name servers for private hosted zones in Route 53 are the same four name servers. Keep in mind that you can't associate the same VPC to two private hosted zones with the same name.

Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Monaten