Registrar-specific Instructions

The output of terraform/dns contains nameservers that you must add to your domain registration. To update the nameservers for a domain registration, follow the instructions at your registrar. The procedure will be different for each registrar. Here’s a partial list:

It can take up to a day for your changes to become active, though experience suggests that it often is complete after only a few minutes. You can check whether your changes have been implemented by looking up your domain in the whois database.

If DNSSEC is enabled: the registration also carries a DS record

When DNSSEC is enabled for a domain, its registration holds a second piece of state besides the nameservers: the DS record (or, at registrars like Route 53 Registered Domains, the public key the registry derives the DS from). The two must stay consistent. In particular, never point a registration that still carries a DS record at a zone that does not serve signed responses - for example, a freshly re-created zone after an environment teardown and re-bootstrap. Validating resolvers will SERVFAIL the domain until the DS is removed and caches expire. Before re-delegating nameservers to a new zone, or tearing an environment down, run the DNSSEC disable procedure in docs/dnssec.md first: remove the DS at the registrar, wait out the caches, then stop signing.

Note also that the registrar console may live in a different AWS account than the environment whose zones it delegates to; the nameservers and DS values transfer by copy-paste either way.