2

I am working on a project in AWS where the domain name that we need to use isn't controlled by us. So, they have CNAME'd a subdomain to us. In our F5, we added a NS record for the AWS nameserver that was assigned in route53. When I do a dig on the name, I can see the CNAME and it getting to us, but it never gets to the AWS nameservers or the final A record that is in that ZoneRecord.

Is it possible to go from a CNAME to a NS to a A record? Or, what finally needs to happen, is CNAME to NS to an APIGateway?

I've seen examples that have parts of the problem, but haven't been able to find any examples or documentation that details what exactly I'm trying to do.

I've also tried taking F5 out of the equation by making my own domain setup as follows:

test.domain1.tld CNAME to test.cname.domain2.tld
test.cname.domain2.tld IN NS ns-2134.awsdns-12.org

in AWS Route53 hostedzone test.domain1.tld:

test.domain1.tld A 123.123.123.123
CodingForFunAndProfit
  • 23
  • 2

1 Answers1

3

You have a logical error. The resolving steps on the client (your host) are:

  1. Resolve test.domain1.tld at your name server (NS of domain1.tld) ⇒ CNAME test.cname.domain2.tld
  2. Exchange the domain to-be-resolved to test.cname.domain2.tld as per previous response ("canonical name").
  3. Resolve test.cname.domain2.tld at the name server of cname.domain2.tld (which probably is the NS of domain2.tld) ⇒ NS ns-2134.awsdns-12.org
  4. Resolve test.cname.domain2.tld at the AWS NS ns-2134.awsdns-12.orgNXDOMAIN (non-existing domain)

The point is, that step 2 replaces the domain in question, so the original domain never hits the AWS NS. You could either use test.cname.domain2.tld in the AWS NS, but as you said, that you have no control over it, you probably should just change step 1: test.domain1.tldNS ns-2134.awsdns-12.org. A NS record puts a delegation into your name server, so any A/AAAA/… (not all, but many) request will be redirected to the specified NS.

If any name server is configured to allow recursion, and the recursive bit is set on the request (it almost always is set by the clients), then this name server would take on the client's role in the further resolving. But the steps would stay the same, just executed by the recursive server as the client on the original client's behalf. The original client would then get the final answer, as if it has been provided by this recursive name server directly (transparently).

nix
  • 426
  • 4
  • 5
  • I don't understand. Does CNAME not work like a breadcrumb trail? domain1 -> domain2 -> has NS records for AWS -> AWS NS has A record. Since we can't control domain1, all we get is a CNAME to our domain (domain2). I've tried using test.cname.domain2.tld in AWS and still get `NXDOMAIN` Is there any way to make this happen without changing domain1's CNAME to use NS records instead? – CodingForFunAndProfit Dec 20 '18 at 00:57
  • No, CNAME really replaces the domain. A CNAME record means the requested domain is resolved to be an alias of the stored domain. After that the canonical name is used for further resolving. - Have you ensured that domain2 has an NS entry to delegate to the AWS NS? – nix Dec 20 '18 at 15:46
  • It's working now! The problem was that in AWS I was using domain1 as the hostedzone, when I needed to use domain2. Understanding that the CNAME completely replaces the domain is what made the difference! Thanks! – CodingForFunAndProfit Dec 20 '18 at 16:43