Delegating DNS: Are my AWS Route53 NS records propagating correctly?

by Ovid2020   Last Updated December 01, 2017 03:04 AM

I'm delegating traffic from NameCheap to Route53 on AWS and, after three hours, the site is not up. Chrome is responding with a "This site can’t be reached" error page. Granted, we're still well within the 24-48 hours that the Route53 docs say our app may be inaccessible, so this may be a non-issue -- but, there's a big deadline on the horizon, and I want to make sure I'm not going to wait 48 hours for something that isn't ever going to work. My hope here is to have some more experienced user let me know if my approach is correct, and that the report from G Suite Toolbox's Dig indicates that the process is going as it should.

This is the configuration I'm using, which has worked perfectly for three of our other apps:

1) Create a Hosted Zone in AWS Route53 with NS records, the names of which are in the format example.com, an A record (as an alias) pointing to a live Elastic Beanstalk URL, a CNAME record (not an alias) with the value www.example.com, and an SOA record with a value in the format ns-{integer}.awsdns-{integer}.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400.

2) Create 4 NS records in our DNS (NameCheap) that delegate traffic to Route53. Each record uses host www and a value in the format ns-{integer}.awsdns-{integer}.org. The 4 values come directly from the Hosted Zone's NS record values; there is one for .org, .com, .net, and .co.uk.

3) Terminate SSL traffic at the load balancer with a certificate from AWS ACM.

The best tool I've been able to find to test that this is going to work is G Suite Toolbox's Dig. When I enter www.example.com into it, I get the following return:

id {integer}
opcode QUERY
rcode NXDOMAIN
flags QR RD RA
;QUESTION
www.example.com. IN NS
;ANSWER
;AUTHORITY
example.com. 53 IN SOA ns-{integer}.awsdns-{integer}.org. awsdns-hostmaster.amazon.com. 1 >7200 900 1209600 86400
;ADDITIONAL

The {integers} there after the SOA ns- match the SOA record's {integers} in the Hosted Zone.

Here's the G Suite Dig return I get for one of the three apps we have that use this DNS config and are working, stage.example.com:

id {integer}
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
stage.example.com. IN NS
;ANSWER
stage.example.com. 59 IN NS ns-{integer}.awsdns-{integer}.org.
stage.example.com. 59 IN NS ns-{integer}.awsdns-{integer}.co.uk.
stage.example.com. 59 IN NS ns-{integer}.awsdns-{integer}.com.
stage.example.com. 59 IN NS ns-{integer}.awsdns-{integer}.net.
;AUTHORITY
;ADDITIONAL

All the ns record integers match what are in the Hosted Zone for this subdomain.

The NXDOMAIN state jumps out at me. Is there any reason to believe this config won't successfully transition from NXDOMAIN to NOERROR? The TTL for all the records in the Hosted Zone is all set to minimum values of 60 seconds. If this is all looking ok, is there anything I can do to speed up the process? If you see something wrong here, what the best next move?



Related Questions



How to use AWS S3 Route 53 with Gmail business domain?

Updated September 02, 2017 09:04 AM


UoAWS Route 53 masking

Updated March 28, 2016 08:01 AM