In Amazon Route 53, I have multiple hosted zones in different AWS accounts, and the hosted zones share the same domain name. I want to troubleshoot issues with these hosted zones.
Resolution
Public hosted zones with the same name in two accounts
You can create more than one hosted zone with the same name and add different records to each hosted zone. Route 53 assigns four name servers to every hosted zone, and the name servers are different for each hosted zone. When you update your registrar's name server records, be sure to use the Route 53 name servers for the appropriate hosted zone. You must use the hosted zone that contains the records that Route 53 uses when it responds to queries for your domain. Route 53 doesn't return values for records in other hosted zones that have the same name.
For example, let's say you have the following hosted zones in two accounts:
In Account A, there's a hosted zone with the domain 101.example.com. Route 53 automatically assigned four name servers to this hosted zone:
- ns-1701.awsdns-20.co.uk.
- ns-487.awsdns-60.com.
- ns-1410.awsdns-48.org.
- ns-867.awsdns-44.net.
There's also a simple Type A record with the following details:
| | | | |
---|
Record name | Type | Routing policy | Differentiator | Value/Route traffic to |
test1.101.example.com | A | Simple | - | 8.8.8.8 |
In Account B, there's a hosted zone with the same domain name (101.example.com). Route 53 automatically assigned four name servers to this hosted zone:
- ns-869.awsdns-44.net.
- ns-1332.awsdns-38.org.
- ns-61.awsdns-07.com.
- ns-1707.awsdns-21.co.uk.
This hosted zone also contains a simple Type A record with following details:
| | | | |
---|
Record name | Type | Routing policy | Differentiator | Value/Route traffic to |
test2.101.example.com | A | Simple | - | 8.8.8.8 |
You can update the name servers in either or both accounts in the registrar. If you update the domain's name servers in Account A but not the name servers in Account B, then you get the following dig output:
- Dig output for Account A: NOERROR
# dig test1.101.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test1.101.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38973
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test1.101.example.com. IN A
;; ANSWER SECTION:
test1.101.example.com. 300 IN A 8.8.8.8
- Dig output for Account B: NXDOMAIN
dig test2.101.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test2.101.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34489
Private hosted zones with the same name in two accounts
Let's say there's a private hosted zone (example.com) in Account A that's associated with a virtual private cloud (VPC). The private hosted zone contains a simple Type A record:
| | | | |
---|
Record name | Type | Routing policy | Differentiator | Value/Route traffic to |
example.com | NS | Simple | - | ns-1536.awsdns-00.co.uk. / ns-0.awsdns-00.com. / ns-1024.awsdns-00.org. / ns-512.awsdns-00.net. / |
example.com | SOA | Simple | - | ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 |
test1.example.com | A | Simple | - | 1.1.1.1 |
In this example, the dig output of the resource record from an instance in the VPC is NOERROR:
# dig test1.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test1.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45251
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test1.example.com. IN A
;; ANSWER SECTION:
test1.example.com. 60 IN A 1.1.1.1
In Account B, there's another private hosted zone with the same name (example.com) that's associated with a different VPC. This private hosted zone contains a simple Type A record:
| | | | |
---|
Record name | Type | Routing policy | Differentiator | Value/Route traffic to |
example.com | NS | Simple | - | ns-1536.awsdns-00.co.uk. / ns-0.awsdns-00.com. / ns-1024.awsdns-00.org. / ns-512.awsdns-00.net. / |
example.com | SOA | Simple | - | ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 |
test2.example.com | A | Simple | - | 2.2.2.2 |
The dig output of the resource record from an instance in the VPC of Account B is NOERROR:
# dig test2.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test2.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5377
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test2.example.com. IN A
;; ANSWER SECTION:
test2.example.com. 60 IN A 2.2.2.2
Note: The name servers for private hosted zones in Route 53 are the same four name servers. You can't associate the same VPC to two private hosted zones with the same name.