I have a domain hosted on my own linode under bind9 I also have a VPC in AWS and I want to maintain a DNS subdomain under Route53. I tried following the instructions at: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/MigratingSubdomain.html
Made the following changes to my /etc/bind9/named.conf:
zone "aws.starshine.org" {
type slave;
file "/var/lib/bind/aws.starshine.org";
masters { 205.251.197.214;
205.251.195.5;
205.251.198.215;
205.251.192.111;
};
};
The IP addresses there were gathered from this:
for i in "ns-1494.awsdns-58.org" "ns-773.awsdns-32.net" "ns-1751.awsdns-26.co.uk" "ns-111.awsdns-13.com"; do
echo -en "$i\t"; dig +short "$i";
done
... and those names were pasted from the output from this command:
aws route53 get-hosted-zone --id /hostedzone/Z24Z8xxxxxxxIN
If I run commands like: dig aws.starshine.org. @ns-111.awsdns-13.com I see the SOA record. If I add ns I see the Amazon NS records. But if I query through normal NDS or through my own authoritative DNS server for starshine.org I don't see the delegation.
Here's what I get from a couple of those dig commands:
dig aws.starshine.org @ns.starshine.org.
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> aws.starshine.org @ns.starshine.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49466
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;aws.starshine.org. IN A
apogee:/var/lib/bind# dig aws.starshine.org
;; ...
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41291
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;aws.starshine.org. IN A
;; AUTHORITY SECTION:
starshine.org. 200 IN SOA ns1.starshine.org. hostmaster.starshine.org. 2014091602 2000 1000 691200 600
I don't understand why I'm getting NXDOMAIN and SERVFAIL in these cases. I've completely restarted my BIND server processes (/etc/init.d/bind9 restart).
I see the following in my logs:
Nov 23 05:26:26 apogee named[1438]: zone aws.starshine.org/IN/internal-in: Transfer started.
Nov 23 05:26:27 apogee last message repeated 2 times
So, what am I doing wrong in my delegation? Do I need to enable something on the AWS Route53 side? It's showing me an SOA and NS records (and one A record that I've added and can query just find.
(Setting my resolv.conf (on my nodes in the VPC for example) to point at the AWS DNS name servers does allow me to see the subdomain as one would expect. (However that breaks all other DNS with messages about: Status: REFUSED and WARNING: recursion requested but not available.
I forgot to mention it in my earlier post, but I did also had IN NS "glue" records to my starshine.org zone file like so:
;; GLUE for aws.starshine.org hosted in AWS:
aws.starshine.org. IN NS ns-1494.awsdns-58.org.
IN NS ns-773.awsdns-32.net.
IN NS ns-1751.awsdns-26.co.uk.
IN NS ns-111.awsdns-13.com.
ns-1494.awsdns-58.org. IN A 205.251.197.214
ns-773.awsdns-32.net. IN A 205.251.195.5
ns-1751.awsdns-26.co.uk. IN A 205.251.198.215
ns-111.awsdns-13.com. IN A 205.251.192.111
I also tried adding a list of forwarders to my named.conf:
zone "aws.starshine.org" {
type forward;
forwarders { 205.251.197.214;
205.251.195.5;
205.251.198.215;
205.251.192.111;
};
};
It looks like you're trying to set up a zone transfer which you can't do, as ChrisV said.
To do a delegation for a sub domain you need only create
NSrecords for the sub in the parent's zone.So in
starshine.org's zonefile:Then you define all your records for the
aws.starshine.org.zone in the route 53 name servers.It appears that I had some other errors in my starshine.org zone file which was causing my starshine.org name server to give me the SERVFAIL responses. I guess it was also giving cached responses from the secondaries and the errors weren't obvious in my logs.
What did work was installing the nslint package (Debian) ... running it and walking over each error, fixing it, until the error went away.
In this case the delegation works with just the "glue" records in my zone file ... and I'm not attempting to slave nor even define forwarders in my named.conf.