Procedure to Change Nameservers

Mailman List Mirror (Read Only)
1

This should be easy. But sometimes things that seem like they
should be easy are not.

I want to change the nameservers for a bunch of domains. Really,
all I want to do is change the IP address, but it seems easier
just to change both the name and IP to avoid any possibility of
confusion. However, I am not "physically" moving the services.
These are the same physical servers, just an additional IP address
assigned to the appropriate interface. I want to do this the
"right" way.

Here's what I want to do. Am I doing anything wrong? (Am I being
way too careful?) For the example, let's use the names, old-dns1,
new-dns1, old-dns2, and new-dns2. I think you can guess what they
mean.

1) Add new-dns1 and new-dns2 to the NS records for a domain. (Possible
problem: I have NS records in my authorative DNS for the zone that
are not in the hints at the gTLD server level. But that's not really
a problem, right? They are not lame servers.)

2) Change the NAMESERVER entries at the registrar from old-dns1 to
new-dn1 and old-dns2 to new-dns2.

3) Wait for the change to be reflected in the gTLD servers.

4) Wait for the TTL on the records to expire.

5) Wait a little bit longer just to be safe (maybe do some query
logging to see who still is using the old ones).

6) Remove old-dns1 and old-dns2 NS records from the zone.

7) Wait for the TTL on the records to expire.

8) Wait a bit longer.

9) Turn off DNS services at old-dns1 and old-dns2 (i.e. take out
the firewall rules that allow queries to those addresses).

10) ...

11) Profit.

Not really too bad. At least we don't have to send in host
record templates anymore.

BĀ¼information contained in this e-mail message is confidential, intended
only for the use of the individual or entity named above. If the reader
of this e-mail is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any review, dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this e-mail
in error, please contact postmaster@globalstar.com

2

Crist Clark wrote:

This should be easy. But sometimes things that seem like they
should be easy are not.

I want to change the nameservers for a bunch of domains. Really,
all I want to do is change the IP address, but it seems easier
just to change both the name and IP to avoid any possibility of
confusion.

I would just edit the nameserver glue recs and enter the new IPs and add the new IPs to the zone. If the nameservers are .com, .net or .org the roots will pick up the new glue within a few minutes, after about 10 days the TTLs on your root glue will expire and you can remove the old IPs from your firewall rules.

You change your root glue recs for your nameservers via your registrar for the parent domain.

-mark

3

Crist Clark wrote:

9) Turn off DNS services at old-dns1 and old-dns2 (i.e. take out
the firewall rules that allow queries to those addresses).

10) ...

10 ) Use one of the various sanity checking sites to validate some subset of your hosted domain configurations.

We used to like http://www.dnsstuff.com a lot, but they've gone commercial. It's still a great service and possibly worth the money (I bought a membership but will be comparing it with the other free offerings in the coming months before our renewal is up to see if there's really enough value add).

Free sites that perform similar DNS configuration checks that I know of are:

Mike

4

Crist Clark wrote:

This should be easy. But sometimes things that seem like they
should be easy are not.

I want to change the nameservers for a bunch of domains. Really,
all I want to do is change the IP address, but it seems easier
just to change both the name and IP to avoid any possibility of
confusion. However, I am not "physically" moving the services.
These are the same physical servers, just an additional IP address
assigned to the appropriate interface. I want to do this the
"right" way.

Use a /32 routed to a host loopback interface. No reason to tie this to the network ethernet topology.

Route it here, route it there, route it through the load balancer, route it dynamically, route it here AND there.

Everything critical should be done that way. So much easier.

Make a clear distinction between the names in the NS and corresponding records and hostnames you use on the network. They should never correspond. That way you will never need/want to change them.

Keep the old addresses queryable for at least as long as your TTL was before the change. Maybe twice that. What does it cost you?

If you can do that, make the changes all at once or however suits your fancy, so long as what you put in works when you put it in.

if you keep the glue rec names/A the same as the zones NS records, there will be less bogus-lint complaints from things like dnsstuff, but you dont actually have to, as long as both sets work equally well.

5

Free sites that perform similar DNS configuration checks that I know of
are:

http://dnssy.com
http://www.intodns.com

Just to add to the list:
http://squish.net/dnscheck/

6

Then ask the question on a list related to DNS.

7

In fact, some registrars do require that they have the new zone nameserver
names and IP addresses registered, at least with themselves, and if it's a
new zone, you may not be able to put them inside the zone on first setup;
Domain Discover just did this to me on a change, and I believe I've had the
latter happen to me as well: the automated system wanted to *validate* the
IP to name mapping in... um, DNS.

For a new domain.

Which wasn't up yet.

<sigh>

Cheers,
-- jra

8

Wow. Nice one. All three added to wiki.outages.org.

Cheers,
-- jra

9

well, wearing my oldschool hat, the service should be working on the
authoritative servers -prior- to asking the parent to jump in - do some work - and
send me a bill. validation can work just fine w/ address literals.

--bill