7

I have a domain hosted on my own linode under bind9 I also have a VPC in AWS and I want to maintain a DNS subdomain under Route53. I tried following the instructions at: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/MigratingSubdomain.html

Made the following changes to my /etc/bind9/named.conf:

  zone "aws.starshine.org" {
      type slave;
      file "/var/lib/bind/aws.starshine.org";
      masters { 205.251.197.214;
                205.251.195.5;
                205.251.198.215;
                205.251.192.111;
        };
  };

The IP addresses there were gathered from this:

 for i in "ns-1494.awsdns-58.org" "ns-773.awsdns-32.net" "ns-1751.awsdns-26.co.uk" "ns-111.awsdns-13.com"; do
     echo -en "$i\t"; dig +short "$i";
     done

... and those names were pasted from the output from this command:

aws route53 get-hosted-zone --id /hostedzone/Z24Z8xxxxxxxIN

If I run commands like: dig aws.starshine.org. @ns-111.awsdns-13.com I see the SOA record. If I add ns I see the Amazon NS records. But if I query through normal NDS or through my own authoritative DNS server for starshine.org I don't see the delegation.

Here's what I get from a couple of those dig commands:

dig aws.starshine.org @ns.starshine.org.

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> aws.starshine.org @ns.starshine.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49466
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;aws.starshine.org.             IN      A

apogee:/var/lib/bind# dig aws.starshine.org

;; ...
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41291
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;aws.starshine.org.             IN      A

;; AUTHORITY SECTION:
starshine.org.          200     IN      SOA     ns1.starshine.org. hostmaster.starshine.org. 2014091602 2000 1000 691200 600

I don't understand why I'm getting NXDOMAIN and SERVFAIL in these cases. I've completely restarted my BIND server processes (/etc/init.d/bind9 restart).

I see the following in my logs:

Nov 23 05:26:26 apogee named[1438]: zone aws.starshine.org/IN/internal-in: Transfer started.
Nov 23 05:26:27 apogee last message repeated 2 times

So, what am I doing wrong in my delegation? Do I need to enable something on the AWS Route53 side? It's showing me an SOA and NS records (and one A record that I've added and can query just find.

(Setting my resolv.conf (on my nodes in the VPC for example) to point at the AWS DNS name servers does allow me to see the subdomain as one would expect. (However that breaks all other DNS with messages about: Status: REFUSED and WARNING: recursion requested but not available.

I forgot to mention it in my earlier post, but I did also had IN NS "glue" records to my starshine.org zone file like so:

;; GLUE for aws.starshine.org hosted in AWS:
aws.starshine.org.      IN  NS  ns-1494.awsdns-58.org.
                        IN  NS  ns-773.awsdns-32.net.
                        IN  NS  ns-1751.awsdns-26.co.uk.
                        IN  NS  ns-111.awsdns-13.com.

ns-1494.awsdns-58.org.      IN A   205.251.197.214
ns-773.awsdns-32.net.       IN A   205.251.195.5
ns-1751.awsdns-26.co.uk.    IN A   205.251.198.215
ns-111.awsdns-13.com.       IN A   205.251.192.111

I also tried adding a list of forwarders to my named.conf:

zone "aws.starshine.org" {
    type forward;
    forwarders { 205.251.197.214;
                 205.251.195.5;
                 205.251.198.215;
                 205.251.192.111;
        };
    };
Jim Dennis
  • 807
  • 1
  • 10
  • 22
  • Don't think its possible to do zone transfers from Route53. https://forums.aws.amazon.com/thread.jspa?threadID=88666 –  Nov 23 '14 at 11:17
  • Jim, thanks for a well-written and well-thought-out question - and for not redacting the domain name in question, which made researching the answer much easier! – MadHatter Nov 23 '14 at 22:17
  • MadHatter: I do usually redact IP and domain information from most questions. But this involved public facing DNS ... so the information is public anyway. – Jim Dennis Nov 23 '14 at 22:30

2 Answers2

8

It looks like you're trying to set up a zone transfer which you can't do, as ChrisV said.

To do a delegation for a sub domain you need only create NS records for the sub in the parent's zone.

So in starshine.org's zonefile:

aws    IN  NS    ns-1494.awsdns-58.org.
aws    IN  NS    ns-773.awsdns-32.net.
aws    IN  NS    ns-1751.awsdns-26.co.uk.
aws    IN  NS    ns-111.awsdns-13.com.

Then you define all your records for the aws.starshine.org. zone in the route 53 name servers.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
briantist
  • 2,545
  • 1
  • 19
  • 34
  • By the way I wrote this on my phone from memory, and may have messed up the BIND syntax, but the principle is the same. I'll check it when I get to a computer. – briantist Nov 23 '14 at 16:16
1

It appears that I had some other errors in my starshine.org zone file which was causing my starshine.org name server to give me the SERVFAIL responses. I guess it was also giving cached responses from the secondaries and the errors weren't obvious in my logs.

What did work was installing the nslint package (Debian) ... running it and walking over each error, fixing it, until the error went away.

In this case the delegation works with just the "glue" records in my zone file ... and I'm not attempting to slave nor even define forwarders in my named.conf.

Jim Dennis
  • 807
  • 1
  • 10
  • 22