Search code examples
terraformamazon-route53

Terraform says I have to create NS records but they appear to be created by default?

The docs for the aws_route53_zone resource state:

Public Subdomain Zone

For use in subdomains, note that you need to create a aws_route53_record of type NS as well as the subdomain zone.

resource "aws_route53_zone" "main" {
  name = "example.com"
}

resource "aws_route53_zone" "dev" {
  name = "dev.example.com"

  tags = {
    Environment = "dev"
  }
}

resource "aws_route53_record" "dev-ns" {
  zone_id = aws_route53_zone.main.zone_id
  name    = "dev.example.com"
  type    = "NS"
  ttl     = "30"
  records = aws_route53_zone.dev.name_servers
}

However when I create a public subdomain it already contains an ns record - are the docs out of date or are there other steps I need to follow, such as deleting the ns record?

Solution

  • The situation you're exploring here is more of a general DNS quirk than a Route53-specific or Terraform-specific problem.

    When resolving a domain name the DNS client will recursively resolve parts of the name in turn, starting with the root nameservers to know which DNS servers are responsible for com, and then from there to which servers are responsible for example.com, and then finally from there to dev.example.com.

    In order to answer that question the parent domain must contain NS records telling the client which nameservers to re-ask the question to.

    Route53 by default creates the NS records by which a zone describes its own authoritative nameservers. However, a DNS client can't find those records unless the parent zone also contains the same records.

    With all of that said, what your example Terraform configuration is doing here is declaring that we need to copy the NS record values from aws_route53_zone.dev into the parent zone aws_route53_zone.main, with the same hostnames in both places.

    When a client looks up this hostname, it will first ask one of the nameservers given in aws_route53_zone.main.name_servers (assuming that you've registered them correctly in your domain registrar's settings), and those servers will respond with these records declared by aws_route53_record.dev-ns and so therefore the client will be able to re-ask the question to the authoritative nameservers and get a final answer.

    In order for this to be useful you'll need to include at least one non-NS record in the dev.example.com zone too, so that the final question sent to the aws_route53_zone.dev.name_servers will return A, AAAA, MX, CNAME, etc.