0

I have deleted and created an AWS Route 53 hosted zone and I want to add an public SSL certificate created and managed by Certificate Manager (ACM) Service.

The docs state that creation may take up to 48 hours to complete:

If you delete a hosted zone, you can't undelete it. You must create a new hosted zone and update the name servers for your domain registration, which can require up to 48 hours to take effect.

The question is: How would I know if the recreated hosted zone is ready to have a CNAME record set attached to validate the ACM certificate? Should I sit back for 48 hours to guarantee it?

Note: I am creating the certificate with Cloudformation and if the certificate is not validated in 12 hours, the stack creation fails and rolls back. That's why I cannot put the CNAME record on the hosted zone instantly and wait for it to be validated whenever possible.

vahdet
  • 6,357
  • 9
  • 51
  • 106

1 Answers1

2

This mostly has to do with whether the domain can actually resolve. So presuming that you have some sort of record configured, you can verify that it resolves.

A simple test would be to create a TXT record, or some other record in the domain, and then resolving that using dig, drill or nslookup.

Example: dig example.com will return results such as:

; <<>> DiG 9.10.6 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48750
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;example.com.           IN  A

;; ANSWER SECTION:
example.com.        4257    IN  A   93.184.216.34

;; Query time: 9 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat May 18 21:29:18 CEST 2019
;; MSG SIZE  rcvd: 56

The line to look for here is example.com. 4257 IN A 93.184.216.34, which means it resolved successfully.

colde
  • 3,192
  • 1
  • 15
  • 26
  • 1
    A Route53 hosted zone, indeed, is generated with default record sets (one NS and one SOA), so I do not need to bother with creating a test record set. If it is ok and you mean the important section is `;; ANSWER SECTION:`, mine does not have one yet :) – vahdet May 18 '19 at 20:00
  • @vahdet yeah, that should work, or you can simply look for the SOA or NS record. – colde May 19 '19 at 10:13
  • Upvoted as it is great info supplied. However, I have observed that the certificate was issued even if no `ANSWER SECTION` appeared. It's interesting. – vahdet May 19 '19 at 13:15
  • @vahdet yeah, that's to be expected. TTL depends on when the server asked last, so your local resolver might be different than AWS's resolver. You can do `dig +trace example.com` to get around that – colde May 19 '19 at 23:41