- Newest
- Most votes
- Most comments
The other question you referenced is correct. To understand how it works, you need to understand a bit about DNS itself. I'm going to give you more information than you probably want, but it's best to understand the fundamentals.
DNS is a hierarchical distributed database. At the top of the hierarchy is the top level domain (TLD). Let's use example.com for illustrative purposes (as described in RFC2606).
.com is the TLD for example.com. When a client, such as your web browser, wants to open example.com, it needs to know what address to send the request to. So the first thing that happens is to query the root servers to find which name servers are responsible for example.com. You can see this with the dig
command. First we can look up the SOA - Start of Authority - for the com TLD.
$ dig com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50969
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;com. IN A
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1666967668 1800 900 604800 86400
The response tells us that a.gtld-servers.net
is the start of authority for the .com TLD. We can query that host to find out which server to ask about example.com.
$ dig @a.gtld-servers.net example.com
; <<>> DiG 9.10.6 <<>> @a.gtld-servers.net example.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43068
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN A
;; AUTHORITY SECTION:
example.com. 172800 IN NS a.iana-servers.net.
example.com. 172800 IN NS b.iana-servers.net.
This result shows that a.iana-servers.net
is the name server for example.com. This means that example.com is delegated by the root name server - the top of the hierarchy - to the a.iana-servers.net
nameserver (the NS
part shows that this is a name server record). If we want to know where to find example.com, we need to ask that name server directly.
$ dig @a.iana-servers.net example.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58415
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 86400 IN A 93.184.216.34
Now we have our result: the IP address for example.com is 93.184.216.34
. A DNS record pointing a name to an IPv4 address is know as an A record.
If the owner of example.com wanted to create a new subdomain such as "test.example.com", they could further delegate by creating NS records that point to other name servers. Then you could query those name servers to find the records for hosts in the test.example.com subdomain.
Bearing this in mind, we can now see how it works with Route 53.
You have two accounts: account A and account B. In account A, you have your domain (example.com). In account B, you want the subdomain test.example.com. First you need to delegate the domain. You create a new hosted zone "test.example.com" within Route 53 in account B. Route 53 will automatically create four NS records for the new hosted zone. Now you can delegate the domain in account A. Create a new resource record. For the name, you use test.example.com, and for the value you enter the NS records given to you by Route 53. In this way you delegate test.example.com from account A to account B.
Now that you have test.example.com delegated, you can create new DNS resource records in Route 53 in account B. You can create your ACM certificate, and then create the CNAME records that ACM requires for validation purposes. Because test.example.com has been delegated correctly, ACM will be able to look up the CNAME record, find that the record exists, and trust that you are in control of that domain. Once this is done, ACM will issue a certificate.
It seems like a lot of steps, but it's possible to automate this entire process using tools like CloudFormation or Terraform.
For a deep dive on DNS, I advise you to go straight to the source: RFC 1591. If you prefer a lighter read, AWS has a nice article on the topic.
Relevant content
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
Thanks, that explained everything.