8

I have a domain name (currently hosted on dyn.com) with an A record pointing to our production IP address.

We're moving across to Amazon EC2 and are using a load balancer, with the recommendation that we use a CNAME instead of an A record since load balancers may periodically change ip address.

Unfortunately I don't appear to be able to seamlessly make this transition - I have to delete the A record first, and then add the CNAME, which will potentially result in downtime as the new record propagates.

Is there any way to do this smoothly with zero (or very minimal) downtime?

James Davies
  • 273
  • 2
  • 3
  • 6
  • 1
    I don't see why it should result in downtime - save for the actual tiny amount of time the system does not have an A record or a CNAME. I agree with @Wesley - but the alternative might be to set up on a new DNS provider, then shift your domain name to them. [Not what I would do, but I control my own nameservers ] – davidgo Dec 23 '14 at 07:18
  • I might be misunderstanding the process, but deleting the existing `A` record would potentially result in cached NXDOMAIN responses? Our SOA NXDOMAIN TTL is 30 minutes, which I don't appear to be able to change in dyn.com – James Davies Dec 23 '14 at 07:22
  • 1
    If you were to shift your domain to another registrar, I would imagine you would not have any downtime as cached information would go to your old provider and new information to your new one. Once everything is shifted across you could just remove your domain from your old provider. Your current provider does not sound "fit for purpose" for you anyway. – davidgo Dec 23 '14 at 17:25

2 Answers2

12

There is a trick you can use here. That said, Wesley is a smart dude and you should listen to him. I don't get paid to say that but I'm hoping to change that one day.

Assuming that you're trying to change a record called www in a zone called example.com....

  • Create a temporary wildcard A record (*) in the zone. Commit the change. Test it, make sure the wildcard record is operating as expected and overriding NXDOMAIN responses.
  • Remove the www A record. Commit.
  • Add your new CNAME record. Commit. Test again.
  • Remove the wildcard * record when you're satisfied.
  • Follow Wesley's advice and find a DNS provider who doesn't force you to jump through hoops like this.

Since this is your reputation on the line, you may want to get a quick refresher on what Wikipedia has to say about how wildcards are processed. Make sure that you are adding a wildcard with the same dot count as the record you're removing, as wildcard records do not traverse a dot. (known as a label, if you want the proper RFC term)

Also, this should go without saying, but all of these tests should be run directly against your authoritative servers. (not against the default resolver configured for the computer you're running the test from)

Andrew B
  • 31,858
  • 12
  • 90
  • 128
8

We're moving across to Amazon EC2 and are using a load balancer, with the recommendation that we use a CNAME instead of an A record

I sincerely hope that you're not CNAMEing your apex domain. If your DNS host is self respecting, it won't be allowed. If it's a shameful and slimy host, you'll be able to, but you'll lose a piece of your soul (but you're using EC2 anyway, so it appears that concern for your soul is already minimal).

Quoth Amazon:

You can't use a CNAME record to associate your zone apex with your Elastic Load Balancing instance. DNS rules prohibit the creation of a CNAME record at the zone apex (e.g., example.com). For example, if you own the example.com domain name, you can use a CNAME record for the foo.example.com subdomain name, but not for the example.com zone apex.

Moving on...

...since load balancers may periodically change ip address.

No, load balancers shouldn't periodically change IP addresses. That's kind of their point. They stay the same and act as an abstraction layer between consumers and the content infrastructure. If someone told you that load balancer IP address may periodically change, ask them for clarity.

Amazon ELB is in place, so the goal is to CNAME your domain to the ELB's name. I understand the situation now.

Unfortunately I don't appear to be able to seamlessly make this transition - I have to delete the A record first, and then add the CNAME, which will potentially result in downtime as the new record propagates.

Without some multicast shenanigans and maybe even a dash of BGP wackiness, DNS itself isn't intended to have zero downtime changes. You can, however, minimize the downtime potential by dropping your records' TTL values down to the lowest allowable amount of time. Typically 60 seconds, but if your DNS host doesn't allow it to go that low, then get your pitchforks buffed because that's just awful. Regardless, drop your records to the lowest number possible, but then wait for however long the previous TTL value was. If your previous TTL value was 3600 seconds, then wait an hour after your changed your TTL value down to 60 seconds.

Once you've waited that long, then you can change your A record to a CNAME and you'll have only about 60 seconds of downtime, roughly.

I've done similar switchovers that involved zero downtime, but syncing was performed on the data stores so that during the murky cut-over period any transactions that filtered to the old and new systems were synced with backend magicks. That usually costs more time and effort than is justified unless you're dealing with lots of users and money.

The TTL is already 60 seconds, however the SOA NXDOMAIN TTL is 1800 seconds

...which will only be a problem if your domain has something happen which returns a NXDOMAIN response, which it won't when you change your record from an A to a CNAME.

so removing the existing A record will potentially result in up to 30 minutes down (so far as I can tell)

No because you're not removing, you're changing, and any reasonable DNS host would commit the removal of the A record and addition of the CNAME all in one fell swoop, so you will not be responding with NXDOMAIN to any requests.

If Dyn makes every change to your zone an atomic action that individually commits to the zone file, then yes you could potentially be returning NXDOMAIN responses. Which is an awful thing for Dyn to do, but wouldn't be entirely surprising.

which I don't appear to be able to change with dyn.com

My opinion (which when combined with $5 can get you a cup of coffee at Starbucks): Dyn is an awful DNS host.

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • Amazon explicitly states that the ELB IP address may change without warning, and that we must use a CNAME. The TTL is already 60 seconds, however the SOA NXDOMAIN TTL is 1800 seconds, which I don't appear to be able to change with dyn.com - so removing the existing A record will potentially result in up to 30 minutes down (so far as I can tell). – James Davies Dec 23 '14 at 07:20
  • 1
    @JamesDavies Updated some stuffs. – Wesley Dec 23 '14 at 07:29
  • `No because you're not removing, you're changing, and any reasonable DNS host would commit the removal of the A record and addition of the CNAME all in one fell swoop` And therein lies my problem - Dyn.com won't let me do it atomically. Which backs up your next point quite succinctly. I'll take your opinion and run with it - Is there a particular host you recommend as an alternative? – James Davies Dec 23 '14 at 07:33
  • @JamesDavies Before my DynDNS hatred gets too out of control, you may be able to make these changes with their API in such a way that makes the potential for a NXDOMAIN response either non existent or inconsequentially small: https://help.dyn.com/dns-api-knowledge-base/ Also, I prefer DNSMadeEasy and it is the DNS host that my company uses. However, you'd also be looking at using an API for any particularly tricky changes that are time sensitive. Maybe DynDNS can get you where you need to be and I'm just bitter and jaded. – Wesley Dec 23 '14 at 07:36
  • @james Eh, maybe the API is the way to go and migrating would be pointless. Really though, a good DNS host should let you change those SOA options to the values you choose. Sooner or later you'll run your own DNS server. Then you'll know true jaded bitterness. =) – Wesley Dec 23 '14 at 07:50