I am attempting to do conditional forwarding of a particular zone to a set of Amazon Route 53 nameservers that are authoritative for that zone. When I try to add the nameservers, it fails validation, with the not-so-useful error message "A timeout occurred during validation".
If I attempt to query records in the zone from that nameserver from the command line (via something like nslookup host.example.com ns-000.awsdns-00.com), it works properly.
The error prevents me from being able to click "OK" and create the conditional forwarding zone at all.
It appears that the validation process is trying to query the root zone SOA record from the Route 53 nameserver, and the Route 53 nameserver simply does not respond to that request. (I would argue that this is an invalid validation; it's requesting a record completely out of the scope of what's being configured. That said, it would be nice if the Route 53 nameservers would respond with SERVFAIL or REFUSED instead of failing to respond at all and letting the client time out.)
I was able to work around this by creating the zone with only a nameserver that responded to a request for the root SOA record, like 8.8.8.8. Then, once the zone is created, edit the zone to add the correct nameservers and delete the one that was added to trick Microsoft DNS into allowing the zone to be created.