Setting up a DNS zone in Route53

Setting up the Zone

Enhance the Makefile in the infrastructure git project with the following content:

.PHONY: app-prod-dns
app-prod-dns: guard-STAGE
	aws cloudformation deploy \
		--no-fail-on-empty-changeset \
		--template-file app-prod/dns.yml \
		--stack-name dns-$(STAGE) \
		--parameter-overrides Stage=$(STAGE) \
		--region $(AWS_REGION)

.PHONY: guard-%
guard-%:
	$(if $(value ${*}),,$(error "Variable ${*} not set!"))

Create a new cloudformation template in app-prod/dns.yml and define the hosted zone in there:

---
AWSTemplateFormatVersion: 2010-09-09
Description: DNS Zone for AWS services

Parameters:
  Stage:
    Type: String

Mappings:
  CertificateDomains:
    dev:
      Domain: app.dev.aws.myorg.com
    prod:
      Domain: app.prod.aws.myorg.com

Resources:
  HostedZone:
    Type: AWS::Route53::HostedZone
    Properties:
      Name:
        'Fn::FindInMap': [ "CertificateDomains", !Ref Stage, "Domain" ]
Outputs:
  HostedZoneId:
    Description: 'Hosted zone id.'
    Value: !Ref HostedZone
    Export:
      Name: !Sub '${AWS::StackName}-HostedZoneId'
  HostedZoneName:
    Description: 'Hosted zone name.'
    Value:
      'Fn::FindInMap': [ "CertificateDomains", !Ref Stage, "Domain" ]
    Export:
      Name: !Sub '${AWS::StackName}-HostedZoneName'

Create the Cloudformation stack with the following command in the app-prod AWS account

AWS_PROFILE=myorg-app-prod make app-prod-dns STAGE=prod

Setting up zone delegation in the parent zone

In order to make zone delegation you have to assign the nameservers for your new Route53 zone in the parent zone.

First get the id of your hosted zone from Route53:

AWS_PROFILE=myorg-app-prod aws route53 list-hosted-zones-by-name --dns-name app.prod.aws.myorg.com --query 'HostedZones[].Id' --output text

Then get the assigned nameservers of your new Route53 zone:

AWS_PROFILE=myorg-app-prod aws route53 get-hosted-zone --id ${HOSTED_ZONE_ID}

Use the nameservers to set up delegation in your parent zone, eg.:

TYPE  NAME                  VALUE                    TTL
NS    aws.myorg.com  ns-1065.awsdns-05.org    300 
NS    aws.myorg.com  ns-437.awsdns-54.com     300 
NS    aws.myorg.com  ns-712.awsdns-25.net     300 
NS    aws.myorg.com  ns-1659.awsdns-15.co.uk  300

Use a TTL of 86400 (1 day) when you are sure the setup is correct and won’t be changed in the next days.

Validate your setup with dig, eg.

dig SOA app.prod.aws.myorg.com

You should receive the SOA record of Route53, eg.

;; ANSWER SECTION:
app.prod.aws.myorg.com. 899 IN	SOA ns-1065.awsdns-05.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400