First Route53 Setup

DNS.

Setup

The first Route 53 hosted zone is the moment authoritative DNS moves from the registrar's defaults to AWS. Four steps land you in a working state: create the zone, point the registrar at the AWS name servers, populate the apex and www records, scope IAM tightly. The patterns transfer to any DNS provider; getting the first zone right means subsequent zones cost minutes, not afternoons.

• Create hosted zone. One zone per domain. AWS issues four name servers; update them at the registrar so AWS becomes authoritative.
• Initial records. A and AAAA at the apex, CNAME or ALIAS for www. Pick the record type once and leave it alone.
• TTLs matched to change frequency. 300s during rollout, 3600s+ once stable. Long TTLs cache better; short TTLs accept faster cutover.
• Per-zone IAM scope. One IAM policy per zone for record updates. Blast radius of a leaked credential stays inside one domain.

Common record types

Each record type does one job. Get the type right and DNS just works; pick wrong and you spend an afternoon debugging a CNAME-at-apex error or a missing AAAA.

• A and AAAA. IPv4 and IPv6 addresses respectively. Modern stacks ship both for dual-stack support.
• CNAME. Alias to another domain name. Cannot live at the zone apex; use ALIAS instead at the apex.
• ALIAS. AWS-specific record that points at CloudFront, ELB, or an S3 website. Apex-friendly and free of charge for queries.
• MX plus TXT. MX for mail routing; TXT for SPF, DKIM, and domain-verification challenges.

Routing policies

Routing policies are where Route 53 earns its keep. Simple records cover most static services; weighted, latency-based, failover, and geolocation are the building blocks of canaries, global active-active, and DR cutover.

• Simple. One record, one target. Default for static services where one IP is enough.
• Weighted. Distribute traffic by weight. Powers canary rollouts (5/95) and blue/green flips (100/0 to 0/100).
• Latency-based. Routes each query to the lowest-latency region. Standard pattern for global active-active.
• Failover plus geolocation. Failover gives primary/secondary with health checks for DR; geolocation routes by country to match data-residency requirements.

Operating

DNS is invisible when it works and painful when it doesn't. Operate the zone like a tier-1 dependency: cryptographic validation on sensitive zones, health checks wired to failover, scheduled audits to catch drift.

• DNSSEC on sensitive zones. Cryptographic origin validation prevents spoofing. Required for any zone that fronts auth or payments.
• Health checks for failover routing. Per-endpoint reachability checks drive the failover policy. Without them, failover is a manual page.
• Quarterly stale-record audit. Per-quarter sweep catches unused zones and orphaned records. Reduces blast radius of forgotten subdomains.
• Per-zone change log. Audit trail of every record change with author and reason. Investigation has the breadcrumbs it needs.