Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Best practice for managing Route 53 domains and hosted zones after moving from Root to OU-based AWS Organization structure

0

Hello,

We recently restructured our AWS Organization from a simple Root-IAM model to a Root → OU1/OU2 → IAM setup. Previously, we purchased and managed our domain via Route 53 in the Root account. Now, we want to transfer DNS management of that domain to a specific OU account.

Here's what we've done so far:

  • The domain was originally purchased and registered in the Root account via Route 53.

  • We updated the domain’s nameserver (NS) records to point to a Public Hosted Zone that was newly created in the OU account.

Now we’re facing some confusion around how to proceed with hosted zone records:

  1. Since the domain’s NS records now point to the OU’s Public Hosted Zone, should we delete all records in the Root account’s original hosted zone and instead define all DNS records only in the OU’s hosted zone?

  2. Alternatively, is it valid to keep a single NS record in the Root account’s hosted zone pointing to the OU’s nameservers, and define all other records only in the OU’s hosted zone?

  3. Or, do we need to mirror all records (NS, SOA, A, CNAME, etc.) in both Root and OU hosted zones to avoid conflict?

My understanding is:

  • Option 2 may not work properly because the domain-level NS records already point to the OU’s hosted zone, so the Root account’s hosted zone might be completely bypassed.

  • Option 3 seems to prioritize the Root account's hosted zone, which goes against our goal of managing everything in the OU account.

  • Option 1 seems correct, but our developers are concerned that it may cause service disruptions. Unfortunately, I’m unable to test this setup myself, which makes the situation more difficult to resolve.

One last question:

One of our developer is asking whether we can transfer domain ownership from the Root account to the OU account (i.e., transfer the Route 53 domain registration). Is this possible or even recommended? Alternatively, for future cases, would it be more appropriate to purchase and manage new domains directly within the respective OU accounts?

Any advice or best practices would be greatly appreciated. Thank you!

Topics
Management & GovernanceNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
AWS IAM Identity CenterAmazon Route 53AWS OrganizationsDomain Name System (DNS)
Language
English
asked 10 months ago245 views
1 Answer
0

When you've updated your domain's nameserver records to point to a Public Hosted Zone in your OU account, you're already delegating DNS management to that account. Here's how to proceed:

  1. You should define all DNS records only in the OU account's hosted zone. Since the domain's nameservers now point to the OU account's hosted zone, this is where all DNS resolution will occur. The Root account's original hosted zone is effectively bypassed in DNS resolution.

  2. Keeping an NS record in the Root account's hosted zone pointing to the OU's nameservers won't have any effect on DNS resolution. This is because DNS resolution follows the nameserver delegation set at the registrar level (which now points to your OU account's hosted zone).

  3. Mirroring records across both hosted zones is unnecessary and could lead to confusion in management. Since DNS queries will be directed to the nameservers specified at the registrar level, only the records in the OU account's hosted zone will be used for resolution.

Regarding your concern about service disruptions: As long as you've properly updated the nameserver records at the registrar level to point to the OU account's hosted zone, and you've created all necessary DNS records in that hosted zone, there should be no disruption to your services.

As for transferring domain ownership, yes, you can transfer domain registration from the Root account to the OU account within AWS. This is done through the internal domain transfer process in Route 53. However, many organizations prefer to keep domain registrations centralized in a single account for better control and security, even while delegating DNS management to other accounts.

For future domains, it's generally considered a best practice to register domains in a tightly controlled account (which could be your Root account or a dedicated domains account) to prevent unwanted actions and maintain access control. You can then delegate DNS management to the appropriate service accounts through hosted zones and nameserver configurations as you've already done.
Sources
DNS best practices for Amazon Route 53 | Networking & Content Delivery
Using Amazon Route 53 as the DNS service for subdomains without migrating the parent domain - Amazon Route 53
DNS redirection via route 53 hosted zone | AWS re:Post
Replacing the hosted zone for a domain that is registered with Route 53 - Amazon Route 53

answered 10 months ago
AWS
EXPERT
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content