AWS ACM CNAME rule does not propagate from R53

Question

I recorded my domain through AWS
In my organization account, there is an hosted zone for "mydomain.com"

In my Q&A account, I created an hosted zone for "test.mydomain.com"
I copied the 4 NS rules generated in domain hosted zone (mydomain.com)

In mydomain.com HZ
NAME: test.mydomain.com
VALUE: ns-xxxx.awsdns-xx.org.
       ns-xxx.awsdns-xx.net.
       ns-xxx.awsdns-xx.com.
       ns-xxxx.awsdns-xx.co.uk.

My problem starts here
I want to create an SSL certificate through ACM in my Q&A account (for test.mydomain.com)
My certificate looks like

In test.mydomain.com HZ
TYPE: CNAME
DOMAIN: test.mydomain.com
NAME: _xxxxx.test.mydomain.com.
VALUE: _xxxxx.yyyyy.acm-validations.aws.

TYPE: CNAME
DOMAIN: *.test.mydomain.com
NAME: _xxxxx.test.mydomain.com.
VALUE: _xxxxx.yyyyy.acm-validations.aws.

I used the AWS option "Create records in R53"
Which has created records in R53 (in test.mydomain.com), I double-checked records and their are correctly generated.

24 hours later, still no propagation and I'm stuck there, not understanding what is going wrong

First edit after @jordanm commentary

http    _xxxxx.test.mydomain.com    The remote name could not be resolved: '_xxxxx.test.mydomain.com' (http://_xxxxx.test.mydomain.com)
dns _xxxxx.test.mydomain.com    DNS Record not found     
spf _xxxxx.test.mydomain.com    No SPF Record found  
mx  _xxxxx.test.mydomain.com    DNS Record not found

I still do not understand why my rule is not propagating. No problem is reported (except mx) for test.mydomain.com

Thank you for your time :)

The endpoitn for `test.mydomain.com` is a laod balancer? Have you attached the cert to it? — Riz, Apr 11 '22 at 14:31
I have no endpoint yet attached to it as endpoint expects certificate to be valid. They will be api-gateway like myapp.test.mydomain.com Here is my current error if I try to push my stack "Unable to create domain myapp.test.mydomain.com: Could not find the certificate *.test.mydomain.com" — IQbrod, Apr 11 '22 at 14:33
Have you tried to nslookup or dig `_xxxxx.test.mydomain.com` to see if the records are showing? Have you checked you domain's DNS on a dns checking site? — jordanm, Apr 11 '22 at 14:39
@jordanm No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for _xxxxx.test.mydomain.com — IQbrod, Apr 11 '22 at 14:43
If the records appear in the route53 UI but are not returned in a DNS query, then there is likely an issue with the configuration of your domain. I would recommend checking your domain here https://mxtoolbox.com/dnscheck.aspx and also verify you have properly configured the nameserver with your registrar — jordanm, Apr 11 '22 at 14:47
@jordanm Edited my post in consequence, i do not understand what is wrongly setup on my side tbh — IQbrod, Apr 11 '22 at 15:14
@IQbrod In summary, you have mydomain.com in the main account and test.mydomain.com in the sub-account. Can you check your sub-domain delegation? No information so It's not easy to check, but these steps can help: **Step 1**: Create the hosted zone for test.mydomain.com on sub-account. **Step 2**: Copy 4 NS. **Step 3**: Update it on the hosted zone of mydomain.com in main account. — Franxi Hidro, Apr 11 '22 at 15:59
@franxihidro It's exactly the process I followed. I did not update dns NS, AWS create a "default" hosted zone and linked NS. I've updated NS of my registered domain with NS of my HZ... Keep you guys up on the subject :) — IQbrod, Apr 11 '22 at 16:03
What is linked NS? If you create sub domain in a sub-account and don't update in the main account, how can AWS know you are the owner? Are you using private zone? — Franxi Hidro, Apr 11 '22 at 16:13
@franxihidro it is updated. In the main account, after purshasing domain I did not update registered domain hosted zone (still pointing to default) and not pointing to hosted zone — IQbrod, Apr 11 '22 at 16:16

score 0 · Accepted Answer · answered Apr 13 '22 at 13:55

0

So, as mentionned in the comments, AWS does affect a default NS to your domain.
One should update NS of registered domain (here mydomain.com) to hosted zone's NS rules values. :) Hope this helps

answered Apr 13 '22 at 13:55

IQbrod

2,060
1
6
28

AWS ACM CNAME rule does not propagate from R53

1 Answers1