Over the years I’ve encountered the same problem from huge corporations to small businesses when changing a domain name to another registrar. This seemingly innocuous task frequently ends in disaster, particularly when working with a fly-by-night registrar (though the bigger players are often just as guilty, as are private ISPs) and a lack of understanding somewhere along the lines of who holds DNS records is always the killer.
The problem that really rears its head is that people come and go in businesses and it often gets forgotten who bought a domain or a simple lack of technical understanding in what really happens when you move ownership of a domain registration. Remember that ultimately your domain is always OWNED by a registrar and you do just lease it for a fixed term.
Once upon a time this used to be easier, the WHOIS database used to be a nice global repository that provided you information on the ownership of the domain, not just the registrar but the name of the individual that registered it, their address and often a phone number, this is a relic of an internet gone by, before it was in every home and pocket, when sysadmins would call each other for a chat to solve a problem, this all changed with the advent of the GDPR when the WHOIS database became largely obsolete due to it’s privacy concerns, making proper record keeping all the more important.
Lets assume that your records are all fine, and you know who owns your domain, do you know where your DNS records are? The common oversight is handing over ownership of the domain wholesale to a new registrar without considering what exactly that entails, specifically your DNS nameservers.
IPS Tags, what are they?
IPS Tags (Internet Provider Security Tags as they’re now known) are used by ISPs (controlled by Nominet, *.uk domains) to gain control of a domain. Changing these is the exclusive right of the registrar. If your domain is the property of GoDaddy (TAG: GODDADY) and you want to move it to Fasthosts (TAG: FASTHOSTS) this needs to be done by GoDaddy, this process is typically free but might run you a small fee from a less scrupulous re-seller, if you bought a domain from somewhere that’s gone bust or was run by one guy who’s become unreachable, Nominet will usually perform the task for a very small charge if you can prove that you own the domain.
This task shouldn’t upset the DNS configuration in any way, but stranger things have happened.
EPP Codes, I’m not *.uk
Outside of the control of Nominet, which is most domains, the IPS tag method isn’t used an EPP codes are, along with domain locks.
Much like IPS tags, this is all under the control of the current registrar, if you’re with GoDaddy, only GoDaddy can issue with an EPP code and release a domain lock. Usually you can get access to this from the domain control panel (depending on the quality of your registrar).
In order to migrate, you will need to release the domain lock (which flags the domain as being migrate-able to another registrar) and provide the EPP code to the new registrar which will allow them to migrate the domain in to their service. EPP codes are one time use and are unique per-domain.
Registrars, Nameservers and Zones
It’s a fallacy to assume that your registrar and DNS provider are the same person, often they aren’t, that’s a question for your sysadmin to answer, and if they didn’t set it up a little bit of digging is going to be needed.
The basic flow here is:
- Registrar holds the Domain
- The Domain points to some nameservers
- Those nameservers hold the DNS zone files
- Those zone files contain your actual DNS records which tell other systems on the internet how to communicate with your company
What’s actually in those zone files?
Most importantly for most businesses, the MX records handle how email gets in to your company without them, you won’t get email and it won’t go anywhere anymore. In this day of hosted cloud services there’s also SRV records for SIP to take care of as well, not to mention the more obvious problem of the WWW record that says where the company website is that may very well be sitting with the registrar too depending on your configuration. This is the tip of the iceberg, losing your DNS zone effectively removes your company’s presence from the internet.
So how can it go wrong?
Often when you do such a migration, almost every registrar gives you a nice shiny option saying something along the lines of “TRANSFER YOUR NAMESERVERS TO US (THE EASIEST OPTION)”. This certainly is easy, it’s very easy for the registrar, but only good registrars will actually migrate the DNS records that you currently have during the process (Microsoft are particularly good at this), but most of the time, those DNS records just get lost, and then you’re really, really in trouble.
So how do you fix it?
Fixing a disaster like this will take time. DNS has to propagate on the global level and you can’t chase that through, once a change is in, it has to reach the root DNS servers on the internet, for existing domains this can take 24/48 hours and you want to have online services in this window. The best way to fix it is to not have this issue occur in the first place.
So how do you actually do it?
The larger the organization of course, the larger the problems and the larger the planning. Assuming an Exchange platform (as the de facto standard) a new namespace will be needed to cope with the new domain name and a system of forwarding, as well new rules in your organization’s filtering and delivery systems. Older systems like Domino (yes, they’re still out there) also rely on a somewhat painful bespoke Connector and always require extensive testing.
The solid method for actually migrating is pretty solid, there are other methods, but I recommend:
- Ensure that you own your domain, that it’s IPS tag is set correctly and that you have access to any appropriate portals
- DON’T TAKE THE “EASY MIGRATION” OPTION!!!
- If your domain already has production services on it that are internet facing, find out what they are
- If you have access to the existing nameserver, make a record of every DNS record
- In your new nameserver, add every record (having two copies doesn’t matter, only one is ever used at once as your registrar is only looking at one set of nameservers
- Leave the new configuration in place for a MINIMUM of 48 hours
- Run queries against the new nameserver using nslookup (or if that’s too much like hard work, the free tools provided at https://mxtoolbox.com will provide the same utilities in a nice package)
- Then, and only then, in your registrar portal, set your domain to point at your new nameservers