2

I have been trying to setup a Private Hosted Zone in route53 with current associated VPCs in eu-west-1 and will soon add more. I have conformed that my VPC has DNS resolution option set to yes and necessary DHCP option sets are also created. I have added a DNS record under the domain.local domain and it works fine. However, the issue comes when I tried to created a sub-damain dev.domain.local and tried to associate with the same VPC. I see the following error "A conflicting domain is already associated with the given VPC or Delegation Set."

My intention is to have one parent private zone as zorotools.local and several subdomain such as dev.domain.local, staging.domain.local, prod.domain.local etc.

I would then associate ec2 instances with these DNS names.

So, please let me know what mistake I am making and how should I proceed.

mezi
  • 149
  • 2
  • 7

2 Answers2

5

Creating a private hosted zone in Route 53 essentially applies a "hook" in the DNS resolver for your VPC so that queries for that domain are routed directly to the assigned Route 53 nameservers instead of being resolved normally by traversing down starting at the global root servers.

In light of that, I suppose it makes sense for the system to consider a subdomain to be a conflict, and this is a documented limitation:

ConflictingDomainExists

You specified an Amazon VPC that you're already using for another hosted zone, and the domain that you specified for one of the hosted zones is a subdomain of the domain that you specified for the other hosted zone. For example, you cannot use the same Amazon VPC if you're creating hosted zones for example.com and test.example.com.

http://docs.aws.amazon.com/Route53/latest/APIReference/API-create-hosted-zone-private.html

The following (untested) workaround should allow you to achieve the same functionality, though... assuming domain.local is configured as a private hosted zone:

  • Create dev.domain.local as a public zone in Route 53.

  • Note the 4 NS records assigned to the new zone by Route 53.

  • Back in the domain.local private zone, create a record for host "dev," type "NS," and paste the 4 nameservers assigned to dev.domain.local in the box.

This configuration should cause the VPC resolver to consult the private parent domain, learn the delegation, recurse to the delegated nameservers for the correct record, and return the expected response.

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81
  • thanks @Michael - sqlbot, I have understodd the fact that "you cannot nest private zones inside another private zone." AWS support told me that "At the moment,unfortunately, you cannot do subdomains on the same VPC using multiple private hosted zones. The reason has to do with the fact we use name + VPC to find the zone given a QNAME. When another zone exists at the same path, resolution is ambiguous. We are considering to relax this constraint in the future, though. " I will try your work around. – mezi Sep 16 '15 at 10:44
  • 4
    Unfortunately this fix does not work. According to http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html "You cannot create NS records in a private hosted zone to delegate responsibility for a subdomain." – num1 Feb 21 '17 at 08:20
0
  1. first create from your authoritative dns (zorotools.local) delegation to the dns server of vpc . The dns server ends with ".2" . e.g if your vpc is 10.0.0.0/16 the dns server of pvt hosted zone will be 10.0.0.2
  2. Create a conditional forwarder to subdomain e.g. dev.zorotools.local
  3. for the failover you can associate multiple vpc in the private hosted zone . Cross region also works if vpc subnets do not overlap and there is peering enabled
  4. This has worked for us as the corporate domain is different and we have a different authoritative dns within the vpc for delegation to route53
Arun Iyer
  • 1