- Newest
- Most votes
- Most comments
Delegation of private hosted zone within AWS is usually not necessary as long as you only want to use Private Hosted Zones (PHZ). It is mostly baked into the functionality of R53 and can also be extended to on-premises resolution with R53 Resolver endpoints.
Only if you want to delegate a sub-zone from or to a non-R53 Auth NS, e.g. on-premises, will you face a feature gap. In your case, where the customer wants to retire all non-R53 Auth NS, they shouldn't be facing this issue.
The idea behind DNS delegation is to delegate authority of a part of the namespace to another entity (running their own Auth NS). With R53 you can achieve the same by just using Private Hosted Zones.
As such a central team could be in charge of the PHZ "example.com", while a developer team is in charge of "team1.example.com".
From a resolution perspective, you can now assign both of these above PHZ to the same VPC. While Route 53 considers this setup an "overlapping namespace", the resulting Resolver rules will give you more or less the same behavior as if you would have delegated the subdomain.
If you now deploy a R53 Outbound Resolver endpoint into that same VPC (which has visibility to both of the above zones), will you get the same resolution from on-premises.
In case the above domains of example.com and team1.example.com need to be split across R53 and an on-premises Auth NS, you will face the lack of support for delegating a sub-zone from or to a R53 Private Hosted Zone. In some cases, you can work around this with DNS forwarding.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago