White Labeled DNS Name Servers on Amazon Route 53 with Delegation Sets

by

The functionality has been programmed by Amazon in Nov 2014, however it has not been implemented in the web based console, hopefully they will do this soon. There is also no documentation or any articles that I could find on this topic. But I was able to do this by using AWS Client, using the command:

aws route53 create-reusable-delegation-set --caller-reference dns1
See http://docs.aws.amazon.com/Route53/latest/APIReference/api-create-reusable-delegation-set.html

This will give 4 reusable nameservers/delegated-set that can be reused in future created hosted zones. You will have to setup the hosted zones from command-line as well.

When trying to create a hosted zone using a reusable delegation set, you could specify an optional DelegationSetId, and Route53 would assign those 4 NS records for the zone, instead of allocating a new one.


Now Amazon claims that this can be done to white label these nameservers without any further reference.

“This feature also makes it possible for you to create “white label”
name server addresses such as ns1.example.com, ns2.example.com, etc.,
which you can point to your Route 53 name servers. You can then use
your “white label” name server addresses as the authoritative name
servers for as many of your domain names as desired.” –SeanM@AWS

https://forums.aws.amazon.com/ann.jspa?annID=2733


The problem is that Amazon also says that they can not guarantee the IP’s of the nameservers not changing.

https://forums.aws.amazon.com/thread.jspa?messageID=474708

“We do promise that the DNS names of your Route 53 nameservers will
not change, but we can’t make the same guarantee about their IP
addresses. If they were to change in the future, your DNS could
silently break if you used them in this unsupported way.” — DavidR@AWS Jan 25, 2011

Update: Before you freak out this might help you feel better:

Some registrars only allow you to specify name servers using IP
addresses; they don’t allow you to specify fully qualified domain
names. If your registrar requires using IP addresses, you can get the
IP addresses for your name servers using the dig utility (for Mac,
Unix, or Linux) or the nslookup utility (for Windows). We rarely
change the IP addresses of name servers; if we need to change IP
addresses, we’ll notify you in advance.

http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/SOA-NSrecords.html

Keep in mind it is a bad idea to create CNAME records with your own domain for each of the nameservers, even though this in theory would solve the change of IP issue it is a bad idea:

NS records pointing to a CNAME is bad and may conflict badly with
current BIND servers. In fact, current BIND implementations will
ignore such records, possibly leading to a lame delegation. There is a
certain amount of security checking done in BIND to prevent spoofing
DNS NS records. Also, older BIND servers reportedly will get caught in
an infinite query loop trying to figure out the address for the
aliased nameserver, causing a continuous stream of DNS requests to be
sent. –RFC1912

http://www.faqs.org/rfcs/rfc1912.html


So to some it up, create your delegation set:
aws route53 create-reusable-delegation-set --caller-reference MyDelegationSet
This will return something such as:
{
"Location": "https://route53.amazonaws.com/2015-01-01/delegationset//delegationset/XXXXXXXXXXXX",
"DelegationSet": {
"NameServers": [
"ns-xxx.awsdns-xx.com",
"ns-xxx.awsdns-xx.co.uk",
"ns-xxx.awsdns-xx.org",
"ns-xxx.awsdns-xx.net"
],
"CallerReference": "MyDelegationSet",
"Id": "/delegationset/XXXXXXXXXX"
}
}

Save this output, then ping each one of your name servers and create the glue records in the parent zone, using A records, I recommend shorter TTLs in case Amazon informs of IP changes to dns zones. I called mine route531.mydomain.com, route532… ect.
aws route53 create-hosted-zone --delegation-set-id /delegationset/XXXXXXXX --name mydomain.tld
Now update your domain nameservers at the registrar, then update your Route53 to include those nameservers as Authoritative nameservers as well.