Painful domain transfer to Amazon Route 53
I have transferred several domains from GoDaddy to Route53. Even if it is a quite simple task, it was very tricky at the end. A good thing about using Route53 is that it is nicely integrated with AWS API and it is possible to automate DNS administration tasks like creation or deletion of records. Disadvantage is that you pay some microcents per DNS query, so according to number of visitors it will cost few or more bucks a months.
Domain transfer itself is quite simple, you need to:
- unlock domain for transfer,
- get authorization codes for transfer (they are sent to email registered for domain owner).
- create new hosted zone in AWS and transfer DNS records (A, MX, CNAME,...),
- ask Amazon Route53 to transfer those domains and pay for domain renewals for next period,
- wait few days and check if transfer is done or still pending,
- when status is "transferred", then verify that domain is working.
Problem no. 1.: GoDaddy zone file does not end records with '.' (dot).
If your domain has many records, the best way is export/import zone file. Zone file contains all DNS records in textual format. Godaddy doesn't terminate those records with periods as they should. When I imported zone file into Route53, records were there, but with added domain name to the end.
Because AWS console shows data in table and some columns are now shown all, you will probably do not notice that your record is something like:
pgtvm6g2slizlxxeabcdevoccuifvwjj.dkim.amazonses.com.mydomain.cominstead of:
pgtvm6g2slizlxxeabcdevoccuifvwjj.dkim.amazonses.com
A lot of records like this are used for domain verification, so some other services may stop to work! To be sure what exactly did you import, check Route53 settings from command line.
Get zone Ids:
aws route53 list-hosted-zones
Get records of given hosted zone:
aws route53 list-resource-record-sets --hosted-zone-id "/hostedzone/ZXD4RUXXXXXXX" | grep Name
Note.: To use aws command you need to install awscli package (in Linux: pip install awscli) and set your API credentials, e.g.:
export AWS_ACCESS_KEY_ID='AKIA................' export AWS_SECRET_ACCESS_KEY='........................................'
Problem no. 2.: DNS record exists but it is not functional.
This problem is even more tricky. Domain transfer is done, but you cannot DNS query your domain anymore. You probably know about TTL (Time To Live) values of DNS records and that it will take time for servers and caches update. So, I was waiting and waiting and nothing was going on. Using dig to see DNS answers showed SERVFAIL:
$ dig mydomain.org ; <<>> DiG 9.10.3-P4-Ubuntu <<>> mydomain.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40921 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mydomain.org. IN A ;; Query time: 1571 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Wed Mar 29 16:46:19 ADT 2017 ;; MSG SIZE rcvd: 30
This situation was remaining for few days and I have started to be nervous. I deleted hosted zone in Route53 and added it again, but it did not help. So I started to query DNS.
There are several ways how your computer determine IP address of given hostname, from /etc/hosts or a local cache (mdns), but to query uknown domain, it will first ask DNS root server:
dig @a.root-servers.net mydomain.org
Then domain root server for .org domain, as you can see from output of previous command, it is for example: d0.org.afilias-nst.org.
$ dig @d0.org.afilias-nst.org mydomain.org ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @d0.org.afilias-nst.org mydomain.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49159 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mydomain.org. IN A ;; AUTHORITY SECTION: mydomain.org. 86400 IN NS ns-831.awsdns-39.net. mydomain.org. 86400 IN NS ns-434.awsdns-54.com. mydomain.org. 86400 IN NS ns-1136.awsdns-14.org. mydomain.org. 86400 IN NS ns-1816.awsdns-35.co.uk. ;; ADDITIONAL SECTION: ns-1136.awsdns-14.org. 86400 IN A 205.251.196.112 ;; Query time: 101 msec ;; SERVER: 199.19.57.1#53(199.19.57.1) ;; WHEN: Thu Mar 30 13:31:50 ADT 2017 ;; MSG SIZE rcvd: 194
As you can see, when query .org authoritative DNS it will show that this domain is registered in Amazon's DNS. Then query Amazon's DNS:
$ dig @ns-831.awsdns-39.net mydomain.org ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns-831.awsdns-39.net mydomain.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 41808 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mydomain.org. IN A ;; Query time: 108 msec ;; SERVER: 205.251.195.63#53(205.251.195.63) ;; WHEN: Thu Mar 30 13:33:02 ADT 2017 ;; MSG SIZE rcvd: 30So those DNS returns status: REFUSED. Lets check AWS Route53 settings:
$ aws route53 list-resource-record-sets --hosted-zone-id "/hostedzone/Z1UWDXXXXXXXXX"
{
"ResourceRecordSets": [
{
"ResourceRecords": [
{
"Value": "12.145.178.101"
}
],
"Type": "A",
"Name": "mydomain.org.",
"TTL": 300
},
{
"ResourceRecords": [
{
"Value": "ns-827.awsdns-39.net."
},
{
"Value": "ns-1672.awsdns-17.co.uk."
},
{
"Value": "ns-467.awsdns-58.com."
},
{
"Value": "ns-1473.awsdns-56.org."
}
],
"Type": "NS",
"Name": "mydomain.org.",
"TTL": 172800
},
{
"ResourceRecords": [
{
"Value": "ns-827.awsdns-39.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400"
}
],
"Type": "SOA",
"Name": "mydomain.org.",
"TTL": 900
}
]
}
As you can see, there are completely different name servers in Route53 than those in .org DNS query. When you will try to query one of these server above, you will get correct answer:
$ dig @ns-827.awsdns-39.net mydomain.org ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns-827.awsdns-39.net mydomain.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34904 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mydomain.org. IN A ;; ANSWER SECTION: mydomain.org. 300 IN A 12.145.178.101 ;; AUTHORITY SECTION: mydomain.org. 172800 IN NS ns-1473.awsdns-56.org. mydomain.org. 172800 IN NS ns-1672.awsdns-17.co.uk. mydomain.org. 172800 IN NS ns-467.awsdns-58.com. mydomain.org. 172800 IN NS ns-827.awsdns-39.net. ;; Query time: 108 msec ;; SERVER: 205.251.195.59#53(205.251.195.59) ;; WHEN: Thu Mar 30 14:10:21 ADT 2017 ;; MSG SIZE rcvd: 194
This situation is really weird, because when you create new hosted zone, Amazon will assign DNS server itself. In Route53 menu are two places where to find name servers, the first is in Hosted zones and the second in Registered domains.
So why are there different values and which one is correct? When I was testing DNS records from Amazon managment console, I have got this:
$ aws route53 test-dns-answer --hosted-zone-id "/hostedzone/Z1UWDXXXXXXXXX" --record-name mydomain.org --record-type NS
{
"Protocol": "UDP",
"RecordType": "NS",
"RecordName": "mydomain.org",
"Nameserver": "ns-827.awsdns-39.net",
"RecordData": [
"ns-1473.awsdns-56.org.",
"ns-1672.awsdns-17.co.uk.",
"ns-467.awsdns-58.com.",
"ns-827.awsdns-39.net."
],
"ResponseCode": "NOERROR"
}
Solution
After the last DNS query I spot, that working DNS server are not those shown in Route53/Registered domains. I have deleted old record and put those into the Name servers. The domain will start to work almost immediately!