Change of SOA in DNS Registrar

Question

Hi F5 Community,We would like to seek your experience if you already encounter this migration scenario.Questions:We would like to know how we can successfully transfer the DNS Zone SOA to our F5 Listener?Description:Currently the DNS zone ( ex. xyz.com ) SOA is a "Public ISP External DNS" defined in DNS Registrar.Then what we did is we created manually the DNS zone records manually in our F5 GTM ( with Public IP Listener ).Note: We don't enable zone sync/transfer from "Public ISP External DNS" to "F5 Listener IP".A. Based on this, can we just add our F5 Listener IP as 3rd NS ( nameserver ) just to test if DNS request (prod traffic) in the DNS domain registrar will resolve?ORB. Do we need to totally remove the SOA NameServer and change it to the F5 Listener IP and Hostname? If we will do this is it possible that this be propogated immediately? Would there be any effect on the DNS Zone File Serial Number currently cache on other DNS Server?Thank you in advance.

alexbct · Answer

Hi Tony,&nbsp;
I'd say that option A should be fine. The serial number is mainly of importance between Primary and Secondary nodes to tell the secondary nodes whether it needs to update its records from the Primary. Do keep in mind that if you have multiple Primaries in your DNS system without synchronization between them, you will also work with multiple versions of the zone database and you may not want to work with that for too long.&nbsp;
Another option you can try though; Once you have the listener IP exposed to the outside world, run "nslookup" or "dig" commands to confirm that you get all the information you were looking for. Even though the service will be live, no live traffic will know about it yet. Once you feel more comfortable, it will be easier to switch over to the new system.&nbsp;
Regarding the time it takes to propagate the changes throughout the DNS infrastructure, it depends on how long the records can been cached on intermediate systems. Have a look at the TTL values in your Public registrar to get an idea of that. If the TTL's were set to a long time (e.g. 1 hour or 24 hours), you could also temporarily reduce the TTL beforehand to speed up the switchover when it is time for it.&nbsp;
Lastly, if you go for option A and add the F5's listener IP as a 3rd NS to the records, be aware that it is normally up to client/LDNS to decide which one of the three it actually picks and as such it's hard to predict how much traffic will actually hit the F5 listener IP once added.
There is a lot to keep in mind though when it comes to DNS due to it intricate communication between systems. If in doubt, I'd recommend letting someone have a good look over the full DNS infrastructure and then decide on a migration plan.&nbsp;
Hope this helps.&nbsp;

alexbct · Answer

&gt;&gt;&nbsp;Do this mean that even in the DNS Registrar portal if we add a NS Server ( F5 IP Listerner ) there will be no effect on the SOA record since once the DNS traffic received to our F5 Listerner IP and the SOA indicated in the zone file of F5 is itself now it will process DNS traffic?
Yes, indeed.
Just to doublecheck, you are not working with DNSsec? as that will have further implications.&nbsp;
&gt;&gt;&nbsp;Answer: After stability period, let's say 1 or 3 days previous we will remove the previous NS Server define in the DNS Registrar and retain F5 Listener IP. Would this be ok?
&nbsp;Yes, sounds like a good plan. Once you get to that point, you can also remove the previous NS servers one at a time. Wait a few days (this should mean that more traffic goes to the F5 DNS), then remove the last old one. This gives you more time to fine-tune the system.&nbsp;

t0nyp · Answer

Thank you for your reply.If we will do A.Do this mean that even in the DNS Registrar portal if we add a NS Server ( F5 IP Listerner ) there will be no effect on the SOA record since once the DNS traffic received to our F5 Listerner IP and the SOA indicated in the zone file of F5 is itself now it will process DNS traffic?"Do keep in mind that if you have multiple Primaries in your DNS system without synchronization between them, you will also work with multiple versions of the zone database and you may not want to work with that for too long. "&nbsp; Answer: After stability period, let's say 1 or 3 days previous we will remove the previous NS Server define in the DNS Registrar and retain F5 Listener IP. Would this be ok?

Forum Discussion

Change of SOA in DNS Registrar

3 Replies

Recent Discussions

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

Related Content

DNS zone SOA Master Server change

Change admin account

SOA What?

Audit WAF changes

SOA, Stacks, and Standards