Procedure to Change Nameservers
This should be easy. But sometimes things that seem like they should be easy are not. I want to change the nameservers for a bunch of domains. Really, all I want to do is change the IP address, but it seems easier just to change both the name and IP to avoid any possibility of confusion. However, I am not "physically" moving the services. These are the same physical servers, just an additional IP address assigned to the appropriate interface. I want to do this the "right" way. Here's what I want to do. Am I doing anything wrong? (Am I being way too careful?) For the example, let's use the names, old-dns1, new-dns1, old-dns2, and new-dns2. I think you can guess what they mean. 1) Add new-dns1 and new-dns2 to the NS records for a domain. (Possible problem: I have NS records in my authorative DNS for the zone that are not in the hints at the gTLD server level. But that's not really a problem, right? They are not lame servers.) 2) Change the NAMESERVER entries at the registrar from old-dns1 to new-dn1 and old-dns2 to new-dns2. 3) Wait for the change to be reflected in the gTLD servers. 4) Wait for the TTL on the records to expire. 5) Wait a little bit longer just to be safe (maybe do some query logging to see who still is using the old ones). 6) Remove old-dns1 and old-dns2 NS records from the zone. 7) Wait for the TTL on the records to expire. 8) Wait a bit longer. 9) Turn off DNS services at old-dns1 and old-dns2 (i.e. take out the firewall rules that allow queries to those addresses). 10) ... 11) Profit. Not really too bad. At least we don't have to send in host record templates anymore. B¼information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com
Crist Clark wrote:
This should be easy. But sometimes things that seem like they should be easy are not.
I want to change the nameservers for a bunch of domains. Really, all I want to do is change the IP address, but it seems easier just to change both the name and IP to avoid any possibility of confusion.
I would just edit the nameserver glue recs and enter the new IPs and add the new IPs to the zone. If the nameservers are .com, .net or .org the roots will pick up the new glue within a few minutes, after about 10 days the TTLs on your root glue will expire and you can remove the old IPs from your firewall rules. You change your root glue recs for your nameservers via your registrar for the parent domain. -mark -- Mark Jeftovic <markjr@easydns.com> Founder / President, easyDNS Technologies Inc. Company Website: http://www.easyDNS.com I ramble pointlessly from my blog: http://www.PrivateWorld.com
Crist Clark wrote:
9) Turn off DNS services at old-dns1 and old-dns2 (i.e. take out the firewall rules that allow queries to those addresses).
10) ...
10 ) Use one of the various sanity checking sites to validate some subset of your hosted domain configurations. We used to like http://www.dnsstuff.com a lot, but they've gone commercial. It's still a great service and possibly worth the money (I bought a membership but will be comparing it with the other free offerings in the coming months before our renewal is up to see if there's really enough value add). Free sites that perform similar DNS configuration checks that I know of are: http://dnssy.com http://www.intodns.com Mike
Free sites that perform similar DNS configuration checks that I know of are:
Just to add to the list: http://squish.net/dnscheck/
----- list-nanog@pwns.ms wrote:
Free sites that perform similar DNS configuration checks that I know of are:
Just to add to the list: http://squish.net/dnscheck/
Wow. Nice one. All three added to wiki.outages.org. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
Crist Clark wrote:
This should be easy. But sometimes things that seem like they should be easy are not.
I want to change the nameservers for a bunch of domains. Really, all I want to do is change the IP address, but it seems easier just to change both the name and IP to avoid any possibility of confusion. However, I am not "physically" moving the services. These are the same physical servers, just an additional IP address assigned to the appropriate interface. I want to do this the "right" way.
Use a /32 routed to a host loopback interface. No reason to tie this to the network ethernet topology. Route it here, route it there, route it through the load balancer, route it dynamically, route it here AND there. Everything critical should be done that way. So much easier. Make a clear distinction between the names in the NS and corresponding records and hostnames you use on the network. They should never correspond. That way you will never need/want to change them. Keep the old addresses queryable for at least as long as your TTL was before the change. Maybe twice that. What does it cost you? If you can do that, make the changes all at once or however suits your fancy, so long as what you put in works when you put it in. if you keep the glue rec names/A the same as the zones NS records, there will be less bogus-lint complaints from things like dnsstuff, but you dont actually have to, as long as both sets work equally well.
----- "Crist Clark" <Crist.Clark@globalstar.com> wrote:
I want to change the nameservers for a bunch of domains. Really, all I want to do is change the IP address, but it seems easier just to change both the name and IP to avoid any possibility of confusion. However, I am not "physically" moving the services. These are the same physical servers, just an additional IP address assigned to the appropriate interface. I want to do this the "right" way.
Not really too bad. At least we don't have to send in host record templates anymore.
In fact, some registrars do require that they have the new zone nameserver names and IP addresses registered, at least with themselves, and if it's a new zone, you may not be able to put them inside the zone on first setup; Domain Discover just did this to me on a change, and I believe I've had the latter happen to me as well: the automated system wanted to *validate* the IP to name mapping in... um, DNS. For a new domain. Which wasn't up yet. <sigh> Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
On Thu, Sep 18, 2008 at 07:31:37PM -0400, Jay R. Ashworth wrote:
----- "Crist Clark" <Crist.Clark@globalstar.com> wrote:
I want to change the nameservers for a bunch of domains. Really, all I want to do is change the IP address, but it seems easier just to change both the name and IP to avoid any possibility of confusion. However, I am not "physically" moving the services. These are the same physical servers, just an additional IP address assigned to the appropriate interface. I want to do this the "right" way.
Not really too bad. At least we don't have to send in host record templates anymore.
In fact, some registrars do require that they have the new zone nameserver names and IP addresses registered, at least with themselves, and if it's a new zone, you may not be able to put them inside the zone on first setup; Domain Discover just did this to me on a change, and I believe I've had the latter happen to me as well: the automated system wanted to *validate* the IP to name mapping in... um, DNS.
For a new domain.
Which wasn't up yet.
<sigh>
Cheers, -- jra
well, wearing my oldschool hat, the service should be working on the authoritative servers -prior- to asking the parent to jump in - do some work - and send me a bill. validation can work just fine w/ address literals. --bill
participants (8)
-
bmanning@vacation.karoshi.com -
Crist Clark -
Jay R. Ashworth -
Jo Rhett -
Joe Maimon -
list-nanog@pwns.ms -
Mark Jeftovic -
Mike Lewinski