Route 53 Cross-Account Zone Delegation: Share DNS (2026)

Delegating a Route 53 hosted zone across AWS accounts isn’t about granting access to the zone itself, but rather about enabling a different account to manage the DNS records within that zone.

Let’s imagine you have a primary AWS account (let’s call it Account-A) that owns the domain example.com and its associated Route 53 hosted zone. You want your development team, working in a separate AWS account (Account-B), to be able to create and manage subdomains like dev.example.com without giving them direct write access to Account-A’s Route 53 zone or the root domain. This is where cross-account delegation shines.

Here’s how it looks in practice.

Account-A (Owner of example.com)

1. Create a Hosted Zone: If you haven’t already, create the public hosted zone for example.com in Account-A.

   • Go to Route 53 -> Hosted zones -> Create hosted zone.
   • Domain name: example.com
   • Type: Public hosted zone
   • This will give you a set of NS (Name Server) records. Note these down.

2. Create a Delegation Set: This is the key for delegation.

   • Go to Route 53 -> Hosted zones -> Actions -> Create delegation set.
   • Choose the hosted zone you just created (example.com).
   • This generates a set of four NS records. These are the delegated name servers that Account-B will point to.

3. Create a Record Set for Delegation: Now, within your example.com hosted zone in Account-A, you’ll create a record set that points to the NS records of the delegation set. This record tells Route 53 that traffic for a specific subdomain (or the whole zone) is handled elsewhere.

   • In the example.com hosted zone, click "Create record".
   • Record name: dev (if you want Account-B to manage dev.example.com) or leave blank if delegating the entire example.com.
   • Record type: NS
   • Value: Enter the four NS records from the delegation set you created in step 2. Each NS record goes into its own line in the value field.
   • TTL: 300 seconds (or adjust as needed).

Account-B (Delegated Account for dev.example.com)

1. Create a Hosted Zone (Crucial Step): In Account-B, you create a hosted zone for the subdomain you intend to manage.

   • Go to Route 53 -> Hosted zones -> Create hosted zone.
   • Domain name: dev.example.com (if you delegated dev in Account-A)
   • Type: Public hosted zone
   • This will again give you a set of NS records.

2. Associate with Delegation Set: Now, you tell Route 53 in Account-B that this dev.example.com zone is part of a delegation from another account.

   • When creating the hosted zone in step 1, you would have seen an option: "Create a new delegation set" or "Use an existing delegation set".
   • Instead, you’ll go to Route 53 -> Hosted zones -> Actions -> "Create delegation set".
   • Select "Create a delegation set for a subdomain".
   • Enter the NS records that were provided by Account-A for the example.com delegation set in step 2 of Account-A.
   • This links the dev.example.com zone in Account-B to the delegation mechanism established by Account-A.

3. Manage Records: Now, in Account-B, you can create any DNS records for dev.example.com.

   • Go to the dev.example.com hosted zone in Account-B.
   • Click "Create record".
   • Record name: api (for api.dev.example.com)
   • Record type: A
   • Value: 192.0.2.10
   • TTL: 300 seconds.

The Mental Model:

Route 53’s cross-account delegation isn’t a direct IAM permission share. Instead, it works by establishing a chain of trust and authority. Account-A declares, via NS records within its example.com zone, that the NS records associated with Account-B’s dev.example.com zone are authoritative for dev.example.com. When a DNS resolver queries for api.dev.example.com, it first asks the NS records for example.com. These NS records point to the delegation set’s NS servers, which then direct the query to the NS servers for dev.example.com (managed by Account-B). Account-B’s zone then provides the IP address for api.dev.example.com.

The key insight is that Account-B doesn’t see or manage Account-A’s example.com zone. It only manages its own zone (dev.example.com), and the delegation mechanism makes Route 53 recognize that zone as the authority for that specific subdomain.

The one thing that often trips people up is thinking they need to grant IAM permissions between the accounts for Route 53. You do not. The delegation is purely DNS-level. The only "permission" is that Account-B is allowed to create a hosted zone with the correct name and associate it with the delegation set.

Once you’ve successfully delegated dev.example.com to Account-B and created records there, the next logical step is to understand how to integrate these delegated zones with VPCs using private hosted zones or VPC peering.