I have a private hosted zone sub.example.com in Route53 with a single A record.
When I do a dig sub.example.com it will include
;; AUTHORITY SECTION:
sub.example.com. 900 IN SOA ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
But when I do dig myarecord.sub.example.com then there is no AUTHORITY SECTION.
and if use nslookup myarecord.sub.example.com then the output says clearly Non-authoritative answer:
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: myarecord.sub.example.com
Address: 10.0.0.1
The use case is that example.com is the corporate domain and we want that the corporate on-premise DNS resolvers use the Route53 private zone sub.example.com to resolve the queries for *.sub.example.com. So they set up delegation in example.com so that sub.example.com is delegated to the IP of the Route53 inbound endpoint. But queries to this inbound do NOT have the aa (authoritative answer) flag set so the corporate resolver will reject with answer (as is not authoritative).
The Route53 FAQS says
Q. What is Private DNS?
Private DNS is a Route 53 feature that lets you have authoritative DNS within your VPCs without exposing your DNS records (including the name of the resource and its IP address(es) to the Internet.
so if I interpret that right it means that it's possible to get authoritative answers , but how?
The How do I configure a Route 53 Resolver inbound endpoint to resolve DNS records in my private hosted zone from my remote network? from 2019-10-11 explicitly says to make sure delegation is not used:
Before testing, confirm that you've configured:
The DNS server on the remote network to conditionally forward DNS queries for the private hosted zone’s domain name to the IP addresses of the inbound endpoint.
The remote DNS server to forward DNS queries for the domain name instead of delegating authority of the domain name to the inbound endpoint. Note: Inbound endpoints support only recursive DNS queries. Iterative DNS queries sent to the inbound endpoint timeout.
So is my understanding that if you want to delegate a subzone like sub.example.com to Route 53 then you need to create a public hosted zone sub.example.com (you can have both a private and a public hosted zone for the same name, but the private one will take precedence in your VPC), and delegate to the public route53 delegation set assigned to that public hosted zone.
The drawback of having a public hosted zone for that subdomain is that the records are public and therefore anybody can query for records in that subdomain and find out the internal private IPs that you are using and learn a bit about your internal topology.
The alternative is to run a BIND9 nameserver on EC2 instance (private IP only accesible from your corporate network) configured to be authoritative for that subdomain sub.example.com and delegate to it. Then your corporate resolver will use that BIND server that sends aa flag and your Route53 resolver will also use (if not use resolver rules to specify that queries to sub.example.com should be sent to the private ip of your BIND9.