How did you migrate DNS and avoid outages during provider switch?

[William80]

I've recently taken over the IT infrastructure for a small business, and our external DNS is a mess of outdated records hosted with our domain registrar. I want to migrate to a more robust provider and implement better practices like DNSSEC and proper TTL management, but I'm worried about causing an outage during the transition. For sysadmins who have modernized their DNS setup, what was your migration strategy to minimize risk, and which specific configuration settings or record types do you now consider essential for security and reliability that are often overlooked?

[ScarlettIR]

Nice goal. Start with a parallel run on two providers and keep TTLs modest (e.g., 300s) so you can roll back fast if anything breaks. Also do a full inventory first to remove stale records.

[Evelyn.W]

Migration strategy: 1) clean data and export the current zone; 2) set up the new provider with an exact replica and enable DNSSEC; 3) temporarily run both zones (dual delegation) during a controlled window; 4) flip delegation to the new NS and publish DS at the parent; 5) monitor for a few days and then decommission the old provider.

[George.R]

Essential records and settings: A/AAAA for hosts, NS and SOA, MX for mail, CNAME where needed, TXT (SPF/DKIM hints), SRV for services; TTL around 300s works in normal operation; during migration drop to 60-120s. Also ensure zone serial increments on updates.

[Eric.M]

Security-focused bits: enable DNSSEC across zones; publish DS at the parent; maintain backups of DNSKEY; have a plan for key rollover; enable secondary DNS for redundancy; consider RPZ; ensure access controls and logs are in place on the DNS provider.

[George87]

Potholes to watch for: missing child zone config, apex CNAMEs, forgetting to update registrar delegation, long propagation due to TTLs, and not validating data after cutover. Run a small pilot subdomain first and keep a clear rollback plan.

[AlexanderA]

Want a sample 2-week migration checklist? I can draft a concrete plan with a rollback window and DS/key rollover steps tailored to your domain.