Route53 Hosted Zone delegation

Route53 Hosted Zone delegation

When working in AWS, the typical advice is to avoid creating resources as the root user, both for security and to avoid confusion. It is typically recommended instead to utilize AWS Organizations to create a new account for every AWS project (I personally use org-formation, an open-source CLI tool that allows you to create/reorganize your AWS Organization accounts via an AWS Codecommit pipeline) to avoid intertwining projects that shouldn't interact, as well as for clarity towards billing.

While creating a structure of this type carries a lot of benefits, it does raise several new issues. Unless you're creating (read: purchasing) a new domain for each project, you will normally run into issues relating to DNS forwarding. When troubleshooting your DNS entries (perhaps with the DNS lookup utility dig), you will see that your top level domain is functioning exactly as intended:

while your subdomain is not quite functioning as intended:

The DNS request in this command returned an NXDOMAIN error message, which stands for 'non-existent domain'. Even though your DNS entries are configured, traffic is not authorized to be forwarded as you are hoping, and is not even seeing your DNS record as existing. And the reason for this lies in the DNS nameservers responsible for this request. In order to resolve this issue:

  1. Navigate to the hosted zone for the subdomain:

  2. Note the name servers listed under the NS record type. The addresses listed in the NS record are the collection of name servers authorized and assigned by Route53 to route traffic. In this instance, our name servers are,,, and

  3. Return to the hosted zone for your primary domain and create a new record as follows:

    What this record does is tells the hosted zone for your primary domain to delegate DNS services for this specific subdomain to the listed name servers. So DNS requests for this URL will now be handled by the nameservers assigned to the subdomain (which are authorized to route traffic) as opposed to the name servers for your primary domain, which does not have a record of that domain to route traffic. With Route53, this process takes ~60 seconds to fully propagate, but once it does, traffic will be routed correctly. You can verify with another dig command:

    In this case, you can see the NXDOMAIN error message we were receiving earlier has been replaced with a NOERROR one, which indicates a success! With this having been done, web traffic to the subdomain will now be routed correctly and you can share your created URL as needed.