By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

public hosted zone delegation to a govcloud sudbdomain can't be resolved

0

As the title states I have some resources in govcloud (private hosted zone) that are exposed to the public via a subdomain in standard route53 domain/public hosted zone.

Tracing the delegation yields the correct nameservers.

The ALB behind the cname record responds with no problems to requests.

But curling the CNAME record returns a "could not resolve host" error (record in the form of {uuid}.gov.bbb.yyy)

Could this be related to stale dns records? The cert used by the ALB has only one domain (bbb.yyy) but since the alb responds to requests this should not be a concern.

Topics
Networking & Content DeliveryGovernment
Tags
Amazon Route 53Government
Language
English
co5
asked 10 months ago310 views
2 Answers
0
Accepted Answer

The only way to do this is to chain two cdk deploys. One to create the alb in gov cloud, capture the dns name of the alb and use this url as an input in the next deploy to create a CloudFront distribution in the standard AWS account.

The caveat is that the TLS handshake through CloudFront is failing. I can access the alb directly but curling the distribution throws a handshake failure. Tried with TLS 1.2 and TLS 1.1

co5
answered 10 months ago
0

Private hosted zones can not be resolved over the internet.

Private hosted zones can only be resolved internally within the VPC it’s attached to.

If you need to be able to resolve the records externally (the internet) outside of the VPC then the zone needs to be public.

Of course with your delegated tracing you will be able to resolve the NS records you have defined for the subdomain however you will not resolve the records from the subdomain as the zone is private.

profile picture
EXPERT
Gary Mclean
answered 10 months ago
  • co5
    10 months ago

    This article:

    https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-route53.html

    describes a procedure to link a public hosted zone to resources in govcloud. By definition, all resources in govcloud are in private hosted zones, to expose these a cross account public hosted zone is required.

    Itv seems that delegation is not allowed and hardwiring across route53 of albs is the only way to go

  • Gary Mclean EXPERT
    10 months ago

    Your correct. You will need to create all the records in a public zone in your account to resolve to resources in The gov resource account. You can’t delegate a subdomain for gov domain

  • co5
    10 months ago

    The CDK has the option to set the domain zone for the ALB. If govcloud resources need create a record in a public hosted zone in another account. How does this happen from CDK?

    CrossAccountZoneDelegationRecord reads like useful but I am not sure how ApplicationLoadBalancedFargateService can use this construct if it only takes a hosted zone in the domainZone method of the builder.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content