Bruno Schaatsbergen website Mastodon PGP Key email A drawing of an astronaut in space The Netherlands

Name Server Delegation with Route 53


Consider an AWS Organization with multiple accounts and you want to make sure that the team managing “the API” can manage their own DNS records, from the account they run their API from.

A central team has a DNS account where the root domain is registered. They configure delegation for the subdomain to the API team’s account.

It’s pretty straightforward:

  • Create a hosted zone for the root domain in the central team’s account.
  • Create a hosted zone for the subdomain in the API team’s account.
  • Update the NS records in the root domain’s hosted zone to the NS records of the subdomain’s hosted zone.

Breaking down the steps:

I’m using Terraform to create the resources and perform the delegation.

Create Root Domain Hosted Zone

The central team creates a hosted zone for the root domain,

resource "aws_route53_zone" "1" {
  name = ""

Create Subdomain Hosted Zone:

The API team creates a hosted zone for the subdomain,

resource "aws_route53_zone" "api" {
  name = ""

Set NS Records for Subdomain:

This is where the magic happens. The central team adds an NS record to the hosted zone, for the subdomain, pointing to the nameservers of the hosted zone.

Now if the is queried, the nameservers from the hosted zone will be used to resolve the query, meaning it’s forwarded to the API team’s hosted zone (delegated).

resource "aws_route53_record" "api" {
  name            = ""
  ttl             = 172800
  type            = "NS"
  zone_id         = aws_route53_zone.example.zone_id

  records = [
    // .. nameservers from the hosted zone

Create A Record in Subdomain Hosted Zone:

The API team creates an A record in their hosted zone for testing delegation.

resource "aws_route53_record" "api" {
  zone_id = aws_route53_zone.api.zone_id
  name    = ""
  type    = "A"
  ttl     = 300
  records = [""]

Testing Delegation

To verify delegation that the subdomain is delegated correctly, query the A record for and check if the response contains the IP address.

$ dig A +short

How is NS delegation secured?

The combination of the domain name for a hosted zone and the set of name servers associated with the hosted zone is unique1. This means that when you delegate a subdomain to another account, you are pointing to a unique combination of domain name and name servers, making sure that the delegation goes to the hosted zone you intended to delegate to.

👟 Footnotes

  1. ↩︎