Looking to chat with sysadmins who’ve survived DNS / registrar migrations
Posted by mrc8912@reddit | sysadmin | View on Reddit | 17 comments
Hey everyone — we’re building a tool that automates registrar and DNS migrations (think multi-registry to Cloudflare + email/DNSSEC cleanups). We’re currently interviewing folks who’ve gone through the pain of:
- Moving DNS zones manually
- Dealing with domain sprawl post-M&A
- Chasing down internal owners for registrar access
- Getting SPF/DKIM/DMARC actually working
If you’ve done this and have 15 minutes to share what worked (or what broke), we’d really appreciate it.
No pitch. Just learning from the experts.
💬 DM for the link or comment below — happy to send a small thank-you.
Kumorigoe@reddit
Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator.
Do not expressly advertise your product.
Your content may be better suited for our companion sub-reddit: /r/SysAdminBlogs
If you wish to appeal this action please don't hesitate to message the moderation team.
bjc1960@reddit
We have bought 8 companies. The biggest challenge is finding out who has the DNS account. If is often someone's relative who "knows about computers." Overall the work is not hard.
BlackV@reddit
why do you thinks gonna happen ?
your spf/dmarc/dkin should already be working and is not relevant to the move, if its not working now, either fix it first or and delay the move or move it all fist and delay the fix (I'd likely do the latter, as cloud flare has an API for bulk changes)
Dont make ALL you changes at once, there 0 that needs to be rushed here, you can take weeks
d0m1x@reddit
Totally agree this works for smaller setups, but how would you handle it at scale? Say you’re dealing with 1,000+ domains across an org with 100+ business units, all wanting to create and manage their own DNS records. Curious how you'd keep that under control without chaos or bottlenecks.
Unexpected_Cranberry@reddit
Any organization I've ever been in, the answer to a business unit wanting to manage dns has always been "No".
Sometimes marketing pushes back a bit because their consultants insist they need to do it because IT are too slow or incompetent. I opted to not stand my ground on that once early in my career. The result was the consultant broke out SPF record and then marketing raised a ruckus wanting us to "disable the firewall because the consultant says it's breaking things". Turned out he had put an internal IP in the public DNS and expected that to work.
So while you can't stop business units from breaking out the credit card and registering bananahammock.com for their latest campaign, if they do their on their own. Not my circus not my monkeys. IT controls any and all official domains for the company though, and you update it by sending in a ticket. Letting non IT business units anywhere near DNS is a bad idea.
Adam_Kearn@reddit
I only work with Office 365 and I’ve always found DKIM to be really easy to setup. It’s just a toggle switch and copy the value into the DNS record.
With DMARC it’s the exactly same string I use every time the only bit that changes is the mailbox address. I first create a shared mailbox called DMARC@domain.com. If they have multiple domains I also add aliases to this mailbox to support those domains too. Then you can hide the mailbox from the GAL.
SPF is the only difficult one. Have a chat with the customer and find out what email services do they use? Such as sending out large scale emails using mailchimp etc….
=========
Personally I prefer using cloudflare as it’s really good for managing within a team and has loads of advance features.
On your own company domain I would recommend creating two NS records and pointing them to your dedicated cloudflare NS that is assigned to you.
Customers that want to keep ownership of their domain can just update their name server record to point to yourselves and within cloudflare you can add the site and manage the DNS from their.
Customers that want to fully migrate over to you you can just transfer the domain in.
Most of the time cloudflare can pick up all the DNS records but I would always give it a once over and verify that all DNS records copied over correctly.
whiskyfles@reddit
Sure, what do you want to know? I work in hosting, this is (almost) dailyroutine.
d0m1x@reddit
Do you have custom tooling built around managing DNS and registrars? Do you provide a web interface or API for your customers, or do you typically handle their requests via email?
whiskyfles@reddit
Yes. We have our own nameservers, so all our internal tooling is built around that. Our nameservers run on PowerDNS. We make use of several registrars, some of them have a API available, so thats automated. Some ‘funky’ domains have to be registered manually, since they involve documents, identification etc.
Yes. Customers can login in our portal. From there they can manage the DNS-records.
To get SPF, DMARC and DKIM to work, you have to understand how they work.
SPF: A list of mailservers that are authorized to send mail from your domain(s). DKIM: Consists of a Public and Private key. The Public key is the one you add to your DNS. This ensures that mails are signed and the receiving server is able to validate if the mail is really from the right origin DMARC: This basically tells where reports are sended to and how theyre handled. This also checks for example if incoming mail is from the right origin (DKIM/SPF) checks. You can also tell with DMARC what to do if DKIM fails: quarantaine, reject or nothing.
d0m1x@reddit
Thanks, super helpful. Just to make sure I understand: your users are fully in control of their zones, so they need to understand the basics (like what you explained about SPF).
A few quick questions:
v=spf1 -all, or is that left to them?Really appreciate your time, this is exactly the kind of detail we’re hoping to learn from.
whiskyfles@reddit
Yes, no problem! :) These things are generally a little bit unknown if you're not working in hosting, glad I can help.
We also add a default SPF-record, which has a include for our own mailservice and a \~all. Most customers choose for our mailservice, but if they have a mailservice elsewhere we are happily to assist with setting up the right SPF record.
Really depends. We have bigger customers with upon 1000 domains, but also people with, lets say, 5.
We expose our own API as well, customers can automate tools around our panel, which grealy helps. Some customers even combine this with e.g. the API of DirectAdmin, or another panel and have their own internal tooling to automate everything. Really cool to see.
Depends. Each TLD has their own regulation/rules. Sometimes we can be the technical contact handle, but most of the time this has to be the person who ordered the domain. These involve a lot of steps like requesting documents, which we have to ask our customer. The registrar we use for that, has some defaults for us. So when the domain is 'ready', it already has the nameservers set to ours. We basically get a confirmation and our zone is active.
--
Please let me know if you have any other questions!
titlrequired@reddit
What if the source registrar doesn’t have an API?
d0m1x@reddit
Great question, we’ve run into this too. A lot of registrars are stuck in the past, so we’re designing around manual exports, scraping, and email-based workflows where needed. Would love to hear how you’ve handled this in the past, DM me or u/mrc8912 if you're up for a quick 15-min chat.
BlackV@reddit
log a ticket with their helpdesk, I would like an export of my zone please
titlrequired@reddit
Am I going to get stock?
mrc8912@reddit (OP)
Maybe not stock but we'll definitely invite your for a couple of starbuck coffees!
d0m1x@reddit
Great question, we’ve run into this too. A lot of registrars are stuck in the past, so we’re designing around manual exports, scraping, and email-based workflows where needed. Would love to hear how you’ve handled this in the past, DM me or u/mrc8912 if you're up for a quick 15-min chat.