How to transfer your DNS configuration to AWS Route 53

These are the steps for a simple DNS migration to AWS Route 53.

For our convenience, we have previously migrated our Internet Domain registration to Route 53 using these instructions (optional).

1- Create Hosted Zone

- On the Route 53 Console, click on "Create Hosted Zone" button.

- Enter your domain name (domenech.org in this example) and press "Create" button.

After a successful creation, the Zone Details will appear on screen and also the Name Servers for our domain. They will play an important role later on.

2- Obtain Zone File

There are three ways to populate our Hosted Zone: Route 53 API, Console and Import Zone File:

1. Importing a zone using API is for advanced users and is suggested for big DNS configurations. There are some tools out there to facilitate this task (Official documentation).
2. Importing a zone manually using Route 53 Console is easy but only for small DNS configurations.
3. Importing a zone using "Import Zone File" option on the Route 53 console is easy but relies on our ability to obtain the list of your current DNS server configuration.

A DNS Zone File is a plain text list of your current DNS configuration with all records and their values.

Import Zone File is the method we are going to use in this example. It ensures that no typos are introduced in the migration process and is a easy repeatable method.

Here below my DNS server configuration obtained from my current ISP using a Plesk Control Panel. There are all sorts of Control Panels and Service Providers. I suggest you to send a support request to your current ISP to get that information.

Zone file:

$ORIGIN domenech.org. $TTL 1h *.webmail.domenech.org. CNAME mail.domenech.org. blog.domenech.org. CNAME ghs.google.com. domenech.org.      A 46.17.142.13 domenech.org.      MX (10) mail.domenech.org. domenech.org.      MX (20) relay.celingest.es. domenech.org.      TXT v=spf1 include:celingest.es a mx ~all ftp.domenech.org.  CNAME domenech.org. imap.domenech.org. CNAME mail.domenech.org. ipv4.domenech.org. CNAME domenech-1821931935.us-east-1.elb.amazonaws.com. ipv6.domenech.org. CNAME dualstack.domenech-1821931935.us-east-1.elb.amazonaws.com. mail.domenech.org. A 46.17.142.13 pop.domenech.org.  CNAME mail.domenech.org. pop3.domenech.org. CNAME mail.domenech.org. smtp.domenech.org. CNAME mail.domenech.org. webmail.domenech.org. CNAME mail.domenech.org. www.domenech.org. CNAME domenech.org.

The file format is simple: Three columns with DNS entry name + entry type + values separated by spaces.

Notice the two special fields at the beginning of the list: $ORIGIN and $TTL. I had to introduce them manually.

$ORIGIN is our Internet Domain Name followed by "."

$TTL 1h is the default TTL we plan to use for each entry. You can easily change that value later for individual entries using the console where necessary.

No SOA or NS records: They have to be deleted from our list. They are already present in the Hosted Zone configuration.

3- Import Zone File

- Select the newly created Zone and click on "Go to Records Sets" button.

- Click on "Import Zone File" button and Paste the contents of your Zone File.

- Press "Import" button.

You will get a successful message after a couple of seconds. Otherwise, the console will tell you what was the error and on which line number was produced.

3- Test

The new Hosted Zone and their DNS entries are ready to use.

This is a concept that could be difficult to wrap our head around it: Route 53 is replicating all those changes in realtime across our DNS servers and this configuration is ready to use by anyone.

But, we haven't changed our Internet Domain configuration and therefore no one is connecting to our new DNS servers. That gives us a chance to properly test the transfer result before going Live.


Where are my new DNS servers?

Open your Hosted Zone using Route 53 console. Your new DNS servers for are under the Type: NS.

Use dig command to query your "old" and your "new" DNS servers and compare the result.

First, lets send the request to Internet to get our current Live configuration:

$ dig mail.domenech.org ; <<>> DiG 9.8.3-P1 <<>> mail.domenech.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46712 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.domenech.org. IN A ;; ANSWER SECTION: mail.domenech.org. 59 IN A 46.17.142.13

In this example the DNS query was "mail.domenech.org" and the answer is IP 46.17.142.13

Next we perform the same query but this time we instruct dig to ask only to one of our new DNS servers (previously obtained from the Console):

$ dig mail.domenech.org @ns-1322.awsdns-37.org ; <<>> DiG 9.8.3-P1 <<>> mail.domenech.org @ns-1322.awsdns-37.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64064 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mail.domenech.org. IN A ;; ANSWER SECTION: mail.domenech.org. 3600 IN A 46.17.142.13 ;; AUTHORITY SECTION: domenech.org. 172800 IN NS ns-1322.awsdns-37.org. domenech.org. 172800 IN NS ns-1615.awsdns-09.co.uk. domenech.org. 172800 IN NS ns-238.awsdns-29.com. domenech.org. 172800 IN NS ns-912.awsdns-50.net.

The answer is a bit different but the key value, the IP address, is the same. That indicates that this DNS entry has been successfully transferred.

Also notice that the TTL is 59 seconds in the first query and 3600 seconds (1h) in the second query. That is because we have specified $TTL 1h in our Zone File and all the imported entries in Route 53 have this default value. You could change it on each entry manually using the Console or repeat the import process again with a different default TTL value.

4- Rollback plan before changing Live configuration

On the next step we will change our Internet Domain DNS configuration and tell Internet to use our new DNS servers. Before doing that it is suggested to lower our NS entry TTL to 1 hour.

- Access to your Hosted Zone, select the NS entry for your domain and click on the 1h Hour button (the value will be translated to 3600 seconds) and click on "Save Record Set" button.

This instructs other DNS servers connecting to ours to come back an hour later in order to find out if the Route 53 DNS servers are still valid. This give us the option to undo this configuration in the case something goes wrong. In the worst case scenario, the issue will last an hour (the TTL value).

5- Change Internet Domain configuration and bring Route 53 Live

This is the step where all the previous configuration is set in motion.

- Access to Route 53 Registered Domains, select the Internet Domain we plan to modify and click on "Add/Edit Name Servers".

- Write down the current DNS servers list in order to rollback this change if necessary.

- Introduce your new DNS servers obtained on step #3 (These shown here below are and example. Your servers names will probably differ) and click on the "Update" button.

A couple of minutes later (depending on the TTL set up on your former DNS servers) the change can be tested using dig.

$ dig domenech.org NS ; <<>> DiG 9.8.3-P1 <<>> domenech.org NS ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29759 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;domenech.org. IN NS ;; ANSWER SECTION: domenech.org. 3600 IN NS ns-1615.awsdns-09.co.uk. domenech.org. 3600 IN NS ns-912.awsdns-50.net. domenech.org. 3600 IN NS ns-1322.awsdns-37.org. domenech.org. 3600 IN NS ns-238.awsdns-29.com.

The new Route 53 servers are there and being used by anyone connection to our Internet Domain.

6- Post configuration tasks

Once we are happy and with everything tested we could bring up the TTL values. A higher TTL will improve our users experience and reduce Route 53 cost.

- Access to the NS entry and click twice on the "1d button" to select 172800 seconds (2 days).

7- Rollback

In case something went wrong we could set our former DNS servers in the Internet Domain configuration. Repeat step #5 but this time select your old DNS server list. This will bring your DNS configuration to the initial point once the TTL expires (1 hour in this example).

Certificación de Amazon Web Services: SysOps Administrator - Associate

En el pasado Re:Invent 2014 tuve la oportunidad de obtener mi segunda certificación de AWS: SysOps Administrator - Associate y de realizar la beta de la nueva certificación: AWS DevOps Engineer - Professional.


En el último año el roadmap ha cambiado sustancialmente:

Novedades:

- Ya no se menciona la posibilidad de obtener una certificación de nivel Master (a diferencia del año pasado).

- El nivel Professional de Developer y SysOps se extingue para fusionarse en una sola certificación: AWS Certified DevOps Engineer - Professional.

Examen para AWS Certified SysOps Administrator - Associate

Os invito a intentarlo. Incluso para ingenieros cuyo cometido es mayoritariamente trabajo de sistemas y que aun no se han puesto al día en scripting, OpsWorks y Cloud Formation. Es un examen asequible.

Mi consejo es utilizar nuestra cuenta de Kryterion (la que obtuvimos para examinarnos de Solution Architect) y contratar un examen de prueba por $20 para averiguar en que nivel nos encontramos.

Nueva certificación AWS Certified DevOps Engineer - Professional

La beta estuvo disponible en Re:Invent 2014 y ahora debemos esperar a que la versión final sea lanzada, probablemente en Marzo 2015. Durante el proceso de beta, AWS prueba el examen con un nutrido grupo de usuarios de servicios AWS y empleados de la compañía con el fin de averiguar la nota de corte y las preguntas que son confusas o causan quejas de los examinados. Con esa información se elabora el examen final y se ofrece, más tarde, al público.

Es un examen difícil, como corresponde a un nivel Professional. Pero con el actual roadmap no cabe duda que debemos prepararnos para esta certificación si queremos seguir progresando como especialistas en la tecnología de AWS. Esperaremos al lanzamiento final para conocer el contenido final de esta certificación y que los servicios de ayuda on-line se pongan al día.

Nota: Para poder optar a esta certificación existe el requisito previo de estar en posesión de una certificación activa de Certified Developer o de Certified SysOps. Estas certificaciones expiran a los dos años de ser obtenidas. Tened esto en cuenta para vuestros planes de certificación.

How to transfer your Internet Domain to AWS Route 53

These are the steps to transfer an Internet domain (domenech.org in this example) to AWS Route 53.

This is not a DNS configuration migration. This is only to make AWS our Domain registrar. 

1- Check your current domain registration information

Make sure that your contact details are up to date and that you have all you need to administer your domain configuration (valid email addresses, the domain is not about to expire, the domain is not locked, etc.)

2- Request the Authorisation Code to your current Registrar

The goal of the whole process is to transfer the registrar authority from one registrar (your current) to a new one (AWS). The method to authenticate that this is an authorised request is the Authorisation Code. 

Each provider has a different method to obtain this code. I.e: These are the instructions for GoDaddy. 

3- Initiate the Transfer Domain Wizard

- On the Route 53 Console: Click on "Registered Domains" and "Transfer Domain" button.

- Type your Internet Domain name and select its TLD (domenech.org in this case).

4- Authorisation Code and your current DNS server

Enter here the Authorisation Code you have received from your current Registrar.

Enter here your current DNS servers names. There is room for 4 server but 2 servers is the minimum required.

Remember: These are your current DNS servers. No change here. We are migrating only the Internet Domain registrar of your domain.

5- Fulfil your contact details

6- Review & Purchase

7- noreply@domainnameverification.net email

The process has been initiated and now should be on pending status.

You can track it on the Route 53 Console Dashboard:

After a couple of days you will receive an email from noreply@domainnameverification.net asking you to approve the transfer. Follow those instructions.

8- Done. Your Internet Domain is now under Amazon Web Services control

9- Test

A good way to test that Internet got it right is to perform a "Who Is" from a public service like http://www.whois.net and query your domain.

Here below the current output of that query for domenech.org. Notice that my personal details are obfuscated by a third party registrar. AWS has delegated the domain registration to http://www.gandi.net/whois and this service includes information obfuscation without any additional cost.

Domain Name:DOMENECH.ORG Domain ID: D85970450-LROR Creation Date: 2002-04-25T19:34:26Z Updated Date: 2014-10-25T00:20:22Z Registry Expiry Date: 2016-04-25T19:34:26Z Sponsoring Registrar:Gandi SAS (R42-LROR) Sponsoring Registrar IANA ID: 81 WHOIS Server:  Referral URL:  Domain Status: clientTransferProhibited Registrant ID:JD10503-GANDI Registrant Name:Juan Domenech Registrant Organization: Registrant Street: Whois Protege / Obfuscated whois Registrant Street: Gandi, 63-65 boulevard Massena Registrant City:Paris Registrant State/Province: Registrant Postal Code:75013 Registrant Country:FR Registrant Phone:+33.170377666 Registrant Phone Ext:  Registrant Fax: +33.143730576 Registrant Fax Ext:  Registrant Email:a517c25f3bd3ea62979ed4e973f86c48-2042264@contact.gandi.net Admin ID:JD10502-GANDI Admin Name:Juan Domenech Admin Organization: Admin Street: Whois Protege / Obfuscated whois Admin Street: Gandi, 63-65 boulevard Massena Admin City:Paris Admin State/Province: Admin Postal Code:75013 Admin Country:FR Admin Phone:+33.170377666 Admin Phone Ext:  Admin Fax: +33.143730576 Admin Fax Ext:  Admin Email:254445e386172ccaea82940961ab1cf2-2042260@contact.gandi.net Tech ID:JD10504-GANDI Tech Name:Juan Domenech Tech Organization: Tech Street: Whois Protege / Obfuscated whois Tech Street: Gandi, 63-65 boulevard Massena Tech City:Paris Tech State/Province: Tech Postal Code:75013 Tech Country:FR Tech Phone:+33.170377666 Tech Phone Ext:  Tech Fax: +33.143730576 Tech Fax Ext:  Tech Email:0d4fec3c29117f4dd0034f2b144b1ee4-2042268@contact.gandi.net Name Server:NS1.CELINGEST.ES Name Server:NS2.CELINGEST.ES Name Server:NS3.CELINGEST.ES Name Server:  Name Server:  Name Server:  Name Server:  Name Server:  Name Server:  Name Server:  Name Server:  Name Server:  Name Server:  DNSSEC:Unsigned