Making Route 53 the DNS service for a domain that's in use

If you want to migrate DNS service to Amazon Route 53 for a domain that is currently getting traffic—for example, if your users are using the domain name to browse to a website or access a web application—perform the procedures in this section.

Step 1: Get your current DNS configuration from the current DNS service provider (optional but recommended)

When you migrate DNS service from another provider to Route 53, you reproduce your current DNS configuration in Route 53. In Route 53, you create a hosted zone that has the same name as your domain, and you create records in the hosted zone. Each record indicates how you want to route traffic for a specified domain name or subdomain name. For example, when someone enters your domain name in a web browser, do you want traffic to be routed to a web server in your data center, to an Amazon EC2 instance, to a CloudFront distribution, or to some other location?

The process that you use depends on the complexity of your current DNS configuration:

• If your current DNS configuration is simple – If you're routing internet traffic for just a few subdomains to a small number of resources, such as web servers or Amazon S3 buckets, then you can manually create a few records in the Route 53 console.

• If your current DNS configuration is more complex, and you just want to reproduce your current configuration – You can simplify the migration if you can get a zone file from the current DNS service provider, and import the zone file into Route 53. (Not all DNS service providers offer zone files.) When you import a zone file, Route 53 automatically reproduces the existing configuration by creating the corresponding records in your hosted zone.

  Try asking customer support with your current DNS service provider how to get a zone file or a records list. For information about the required format of the zone file, see Creating records by importing a zone file.

• If your current DNS configuration is more complex, and you're interested in Route 53 routing features – Review the following documentation to see whether you want to use Route 53 features that aren't available from other DNS service providers. If so, you can either create records manually, or you can import a zone file and then create or update records later:

  • Choosing between alias and non-alias records explains the advantages of Route 53 alias records, which route traffic to some AWS resources, such as CloudFront distributions and Amazon S3 buckets, for no charge.

  • Choosing a routing policy explains the Route 53 routing options, for example, routing based on the location of your users, routing based on the latency between your users and your resources, routing based on whether your resources are healthy, and routing to resources based on weights that you specify.

  Note

  You can also import a zone file and later change your configuration to take advantage of alias records and complex routing policies.

If you can't get a zone file or if you want to manually create records in Route 53, the records that you're likely to migrate include the following:

• A (Address) records – associate a domain name or subdomain name with the IPv4 address (for example, 192.0.2.3) of the corresponding resource

• AAAA (Address) records – associate a domain name or subdomain name with the IPv6 address (for example, 2001:0db8:85a3:0000:0000:abcd:0001:2345) of the corresponding resource

• Mail server (MX) records – route traffic to mail servers

• CNAME records – reroute traffic for one domain name (example.net) to another domain name (example.com)

• Records for other supported DNS record types – For a list of supported record types, see Supported DNS record types.

Step 2: Create a hosted zone

To tell Amazon Route 53 how you want to route traffic for your domain, you create a hosted zone that has the same name as your domain, and then you create records in the hosted zone.

Important

You can create a hosted zone only for a domain that you have permission to administer. Typically, this means that you own the domain, but you might also be developing an application for the domain registrant.

When you create a hosted zone, Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record for the zone. The NS record identifies the four name servers that Route 53 associated with your hosted zone. To make Route 53 the DNS service for your domain, you update the registration for the domain to use these four name servers.

Important

Don't create additional name server (NS) or start of authority (SOA) records, and don't delete the existing NS and SOA records.

To create a hosted zone

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

2. If you're new to Route 53, choose Get started under DNS management, and then choose Create hosted zones.

   If you're already using Route 53, choose Hosted zones in the navigation pane, and then choose Create hosted zones.

3. In the Create hosted zone pane, enter a domain name and, optionally, a comment. For more information about a setting, choose to open the help panel on the right side.

   For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS domain name format.

4. For Type, accept the default value of Public hosted zone.

5. Choose Create hosted zone.

Step 3: Create records

After you create a hosted zone, you create records in the hosted zone that define where you want to route traffic for a domain (example.com) or subdomain (www.example.com). For example, if you want to route traffic for example.com and www.example.com to a web server on an Amazon EC2 instance, you create two records, one named example.com and the other named www.example.com. In each record, you specify the IP address for your EC2 instance.

You can create records in a variety of ways:

Import a zone file

This is the easiest method if you got a zone file from your current DNS service in Step 1: Get your current DNS configuration from the current DNS service provider (optional but recommended). Amazon Route 53 can't predict when to create alias records or to use special routing types such as weighted or failover. As a result, if you import a zone file, Route 53 creates standard DNS records using the simple routing policy.

For more information, see Creating records by importing a zone file.

Create records individually in the console

If you didn't get a zone file and you just want to create a few records with a routing policy of Simple to get started, you can create the records in the Route 53 console. You can create both alias and non-alias records.

For more information, see the following topics:

• Choosing a routing policy

• Choosing between alias and non-alias records

• Creating records by using the Amazon Route 53 console

Create records programmatically

You can create records by using one of the AWS SDKs, the AWS CLI, or AWS Tools for Windows PowerShell. For more information, see AWS Documentation.

If you're using a programming language that AWS doesn't provide an SDK for, you can also use the Route 53 API. For more information, see the Amazon Route 53 API Reference.

Step 4: Lower TTL settings

The TTL (time to live) setting for a record specifies how long you want DNS resolvers to cache the record and use the cached information. When the TTL expires, a resolver sends another query to the DNS service provider for a domain to get the latest information.

The typical TTL setting for the NS record is 172800 seconds, or two days. The NS record lists the name servers that the Domain Name System (DNS) can use to get information about how to route traffic for your domain. Lowering the TTL for the NS record, both with your current DNS service provider and with Amazon Route 53, reduces downtime for your domain if you discover a problem while you're migrating DNS to Route 53. If you don't lower the TTL, your domain could be unavailable on the internet for up to two days if something goes wrong.

Note

Some full resolvers may cache the TTL of the NS record of the parent authoritative server, therefore the TTL of NS records registered on the parent authoritative DNS server must also be reduced.

We recommend that you change the TTL on the following NS records:

• On the NS record in the hosted zone for the current DNS service provider. (Your current provider might use different terminology.)

• On the NS record in the hosted zone that you created in Step 2: Create a hosted zone.

To lower the TTL setting on the NS record with the current DNS service provider

• Use the method provided by the current DNS service provider for the domain to change the TTL for the NS record in the hosted zone for your domain.

To lower the TTL setting on the NS record in a Route 53 hosted zone

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

2. Choose Hosted Zones in the navigation pane.

3. Choose the name of the hosted zone.

4. Choose the NS record, and choose Edit.

5. Change the value of TTL (Seconds). We recommend that you specify a value between 60 seconds and 900 seconds (15 minutes).

6. Choose Save changes.

Step 5: (If you have DNSSEC configured) Remove the DS record from the parent zone

If you've configured DNSSEC for your domain, remove the Delegation Signer (DS) record from the parent zone before you migrate your domain to Route 53.

If the parent zone is hosted through Route 53 or another registrar, contact them to remove the DS record.

Because it isn't currently possible to have DNSSEC signing enabled across two providers, you must remove any DS or DNSKEYs to deactivate DNSSEC. This temporarily signals to DNS resolvers to disable DNSSEC validation. In step 11, you can re-enable DNSSEC validation if desired, after the transition to Route 53 is completed.

For more information, see Deleting public keys for a domain.

Step 6: Wait for the old TTL to expire

If your domain is in use—for example, if your users are using the domain name to browse to a website or access a web application—then DNS resolvers have cached the names of the name servers that were provided by your current DNS service provider. A DNS resolver that cached that information a few minutes ago will save it for almost two more days.

To ensure that migrating DNS service to Route 53 happens all at one time, wait for two days after you lowered the TTL. After the two-day TTL expires and resolvers request the name servers for your domain, the resolvers will get the current name servers and will also get the new TTL that you specified in Step 4: Lower TTL settings.

Step 7: Update the NS records to use Route 53 name servers

To begin using Amazon Route 53 as the DNS service for a domain, use the method provided by the registrar, or the parent zone, to replace the current name servers in the NS record with Route 53 name servers.

Note

When you update the NS record with the current DNS service provider to use Route 53 name servers, you're updating the DNS configuration for the domain. (This is comparable to updating the NS record in the Route 53 hosted zone for a domain except that you're updating the setting with the DNS service that you're migrating away from.)

To update the NS record at the registrar, or the parent zone, to use Route 53 name servers

1. In the Route 53 console, get the name servers for your hosted zone:

   1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

   2. In the navigation pane, choose Hosted zones.

   3. On the Hosted zones page, choose the name for the applicable hosted zone.

   4. Make note of the four names listed for Name servers in the Hosted zone details section.

2. Use the method that is provided by the current DNS service for the domain to update the NS record for the hosted zone. If the domain is registered with Route 53, see Adding or changing name servers and glue records for a domain.The process depends on whether the current DNS service lets you delete name servers:

   If you can delete name servers

   • Make note of the names of the current name servers in the NS record for the hosted zone. If you need to revert to the current DNS configuration, these are the servers that you'll specify.

   • Delete the current name servers from the NS record.

   • Update the NS record with the names of all four of the Route 53 name servers that you got in step 1 of this procedure.

     Note

     When you're finished, the only name servers in the NS record will be the four Route 53 name servers.

   If you cannot delete name servers

   • Choose the option to use custom name servers.

   • Add all four Route 53 name servers that you got in step 1 of this procedure.

Step 8: Monitor traffic for the domain

Monitor traffic for the domain, including website or application traffic, and email:

• If the traffic slows or stops – Use the method provided by the previous DNS service to change the name servers for the domain back to the previous name servers. These are the name servers that you made note of in step 7 of To update the NS record at the registrar, or the parent zone, to use Route 53 name servers. Then determine what went wrong.

• If the traffic is unaffected – Continue to Step 9: Change the TTL for the NS record back to a higher value.

Step 9: Change the TTL for the NS record back to a higher value

In the Amazon Route 53 hosted zone for the domain, change the TTL for the NS record to a more typical value, for example, 172800 seconds (two days). This improves latency for your users because they don't have to wait as often for DNS resolvers to send a query for the name servers for your domain.

To change the TTL for the NS record in the Route 53 hosted zone

1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

2. Choose Hosted Zones in the navigation pane.

3. Choose the name of the hosted zone.

4. In the list of records for the hosted zone, choose the NS record.

5. Choose Edit.

6. Change TTL (Seconds) to the number of seconds that you want DNS resolvers to cache the names of the name servers for your domain. We recommend a value of 172800 seconds.

7. Choose Save changes.

Step 10: Transfer domain registration to Amazon Route 53

Now that you've transferred DNS service for a domain to Amazon Route 53, you can optionally transfer registration for the domain to Route 53. For more information, see Transferring registration for a domain to Amazon Route 53.

Step 11: Re-enable DNSSEC signing (if required)

Now that you've transferred DNS service for a domain to Amazon Route 53, you can re-enable DNSSEC signing.

Enabling DNSSEC signing has two steps:

• Step 1: Enable DNSSEC signing for Route 53, and request that Route 53 create a key signing key (KSK) based on a customer managed key in AWS Key Management Service (AWS KMS).

• Step 2: Create a chain of trust for the hosted zone by adding a Delegation Signer (DS) record to the parent zone, so DNS responses can be authenticated with trusted cryptographic signatures.

  For instructions, see Enabling DNSSEC signing and establishing a chain of trust.