Amazon Route 53 Developer Guide
User Manual:
Open the PDF directly: View PDF .
Page Count: 333
Download | |
Open PDF In Browser | View PDF |
Amazon Route 53 Developer Guide API Version 2013-04-01 Amazon Route 53 Developer Guide Amazon Route 53: Developer Guide Copyright © 2016 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. Amazon Route 53 Developer Guide Table of Contents What Is Amazon Route 53? ............................................................................................................. 1 Domain Registration .............................................................................................................. 1 DNS Service ........................................................................................................................ 1 Health Checking .................................................................................................................... 2 DNS Domain Name Format ..................................................................................................... 2 Formatting Domain Names for Domain Name Registration ................................................... 2 Formatting Domain Names for Hosted Zones and Resource Record Sets ................................ 3 Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets ...................... 3 Formatting Internationalized Domain Names ...................................................................... 4 Supported DNS Resource Record Types ................................................................................... 4 A Format ..................................................................................................................... 5 AAAA Format ............................................................................................................... 5 CNAME Format ............................................................................................................ 5 MX Format ................................................................................................................... 6 NS Format ................................................................................................................... 6 PTR Format ................................................................................................................. 6 SOA Format ................................................................................................................. 7 SPF Format .................................................................................................................. 7 SRV Format ................................................................................................................. 7 TXT Format .................................................................................................................. 8 IP Address Ranges of Amazon Route 53 Servers ....................................................................... 8 DNS Constraints and Behaviors ............................................................................................... 8 Maximum Response Size ............................................................................................... 8 Authoritative Section Processing ...................................................................................... 8 Additional Section Processing .......................................................................................... 9 Amazon Route 53 Pricing ....................................................................................................... 9 AWS Identity and Access Management ..................................................................................... 9 Getting Started ............................................................................................................................ 10 The Amazon Route 53 Console .............................................................................................. 10 The Amazon Route 53 API .................................................................................................... 11 AWS SDKs that Support Amazon Route 53 .............................................................................. 11 AWS Command Line Interface Support for Amazon Route 53 ...................................................... 11 AWS Tools for Windows PowerShell Support for Amazon Route 53 ............................................... 12 Registering Domain Names Using Amazon Route 53 ......................................................................... 13 Registering and Updating Domains ......................................................................................... 14 Registering a New Domain ............................................................................................ 14 Values that You Specify When You Register a Domain or Edit Domain Settings ....................... 16 Values that Amazon Route 53 Returns When You Register or Update a Domain ..................... 19 Viewing the Status of a Domain Registration .................................................................... 20 Adding Resource Record Sets for a New Domain .............................................................. 20 Editing Contact Information and Other Settings for a Domain ............................................... 20 Adding or Changing Name Servers and Adding or Changing Glue Records ........................... 22 Privacy Protection for Contact Information ................................................................................ 22 Renewing Registration for a Domain ....................................................................................... 23 Renewing or Restoring an Expired Domain ...................................................................... 25 Extending the Registration Period for a Domain ......................................................................... 26 Transferring Domains ........................................................................................................... 27 Transferring Domain Registration to Amazon Route 53 ....................................................... 27 Viewing the Status of a Domain Transfer .......................................................................... 30 How Transferring a Domain to Amazon Route 53 Affects the Expiration Date .......................... 32 Transferring a Domain to a Different AWS Account ............................................................ 32 Transferring a Domain from Amazon Route 53 .................................................................. 33 Configuring DNSSEC for a Domain ......................................................................................... 35 Overview of How DNSSEC Protects Your Domain .............................................................. 36 Prerequisites and Limits for Configuring DNSSEC for a Domain ........................................... 37 API Version 2013-04-01 iii Amazon Route 53 Developer Guide Adding Public Keys for a Domain .................................................................................... 37 Deleting Public Keys for a Domain .................................................................................. 38 Getting a Domain Name Unsuspended .................................................................................... 39 Deleting a Domain Name Registration ..................................................................................... 40 Downloading a Domain Billing Report ...................................................................................... 40 Domains that You Can Register with Amazon Route 53 .............................................................. 41 Generic Top-Level Domains ........................................................................................... 41 Geographic Domains .................................................................................................. 122 Configuring Amazon Route 53 as Your DNS Service ........................................................................ 141 Migrating DNS Service for an Existing Domain to Amazon Route 53 ........................................... 141 Creating a Hosted Zone .............................................................................................. 142 Getting Your Current DNS Configuration from Your DNS Service Provider ............................ 142 Creating Resource Record Sets ................................................................................... 143 Checking the Status of Your Changes (API Only) ............................................................. 143 Updating Your Registrar's Name Servers ........................................................................ 143 Waiting for Your Changes to Take Effect ......................................................................... 144 Creating a Subdomain That Uses Amazon Route 53 as the DNS Service without Migrating the Parent Domain ............................................................................................................................ 145 Creating a Hosted Zone for the New Subdomain ............................................................. 145 Creating Resource Record Sets ................................................................................... 146 Checking the Status of Your Changes (API Only) ............................................................. 146 Updating Your DNS Service with Name Server Records for the Subdomain .......................... 146 Migrating DNS Service for a Subdomain to Amazon Route 53 without Migrating the Parent Domain ............................................................................................................................ 147 Creating a Hosted Zone for the Subdomain .................................................................... 147 Getting Your Current DNS Configuration from Your DNS Service Provider ............................ 148 Creating Resource Record Sets ................................................................................... 148 Checking the Status of Your Changes (API Only) ............................................................. 148 Updating Your DNS Service with Name Server Records for the Subdomain .......................... 149 Routing Traffic to AWS Resources ................................................................................................. 151 Routing Traffic to an Amazon CloudFront Distribution (Public Hosted Zones Only) ......................... 151 Routing Traffic to an AWS Elastic Beanstalk Environment .......................................................... 152 Deploying an Application into an Elastic Beanstalk Environment ......................................... 153 Getting the Domain Name for Your Elastic Beanstalk Environment ...................................... 153 Creating an Amazon Route 53 Resource Record Set ....................................................... 153 Routing Traffic to an Elastic Load Balancing Load Balancer ....................................................... 155 Routing Traffic to an Amazon EC2 Instance ............................................................................ 156 Routing Traffic to a Website That Is Hosted in an Amazon S3 Bucket ........................................... 156 Opening Connections to an Amazon RDS Database Instance Using Your Domain Name ................ 157 Prerequisites ............................................................................................................. 157 Configuring Amazon Route 53 So You Can Use Your Domain Name to Open Connections ...... 157 Routing Traffic to Amazon WorkMail (Public Hosted Zones Only) ................................................ 159 Working with Public Hosted Zones ................................................................................................ 162 Creating a Public Hosted Zone ............................................................................................. 162 Getting the Name Servers for a Public Hosted Zone ................................................................. 163 Listing Public Hosted Zones ................................................................................................. 164 Deleting a Public Hosted Zone ............................................................................................. 164 Configuring White Label Name Servers .................................................................................. 165 NS and SOA Resource Record Sets that Amazon Route 53 Creates for a Public Hosted Zone ........ 169 The Name Server (NS) Resource Record Set ................................................................. 169 The Start of Authority (SOA) Resource Record Set .......................................................... 170 Working with Private Hosted Zones ............................................................................................... 171 Creating a Private Hosted Zone ............................................................................................ 172 Listing Private Hosted Zones ................................................................................................ 174 Associating More Amazon VPCs with a Private Hosted Zone ..................................................... 174 Associating Amazon VPCs and Private Hosted Zones That You Create with Different AWS Accounts .......................................................................................................................... 175 Disassociating Amazon VPCs from a Private Hosted Zone ........................................................ 176 API Version 2013-04-01 iv Amazon Route 53 Developer Guide Deleting a Private Hosted Zone ............................................................................................ Working with Resource Record Sets ............................................................................................. Choosing a Routing Policy ................................................................................................... Weighted Routing ...................................................................................................... Latency-Based Routing ............................................................................................... Geolocation Routing ................................................................................................... Choosing Between Alias and Non-Alias Resource Record Sets .................................................. Creating Resource Record Sets by Using the Amazon Route 53 Console .................................... Values that You Specify When You Create or Edit Amazon Route 53 Resource Record Sets ............ Values for Basic Resource Record Sets ......................................................................... Values for Weighted Resource Record Sets .................................................................... Values for Alias Resource Record Sets .......................................................................... Values for Weighted Alias Resource Record Sets ............................................................ Values for Latency Resource Record Sets ...................................................................... Values for Latency Alias Resource Record Sets .............................................................. Values for Failover Resource Record Sets ...................................................................... Values for Failover Alias Resource Record Sets .............................................................. Values for Geolocation Resource Record Sets ................................................................ Values for Geolocation Alias Resource Record Sets ......................................................... Creating Resource Record Sets By Importing a Zone File ......................................................... Editing Resource Record Sets .............................................................................................. Deleting Resource Record Sets ............................................................................................ Listing Resource Record Sets .............................................................................................. Using Traffic Flow to Route DNS Traffic .......................................................................................... Creating and Managing Traffic Policies ................................................................................... Creating a Traffic Policy ............................................................................................... Values that You Specify When You Create a Traffic Policy .................................................. Creating Additional Versions of a Traffic Policy ................................................................. Creating a Traffic Policy by Importing a JSON Document ................................................... Viewing Traffic Policy Versions and the Associated Policy Records ...................................... Deleting Traffic Policy Versions and Traffic Policies ........................................................... Creating and Managing Policy Records .................................................................................. Creating Policy Records .............................................................................................. Values that You Specify When You Create or Update a Policy Record .................................. Updating Policy Records ............................................................................................. Deleting Policy Records .............................................................................................. Health Checks and DNS Failover .................................................................................................. Creating, Updating, and Deleting Health Checks ..................................................................... Creating and Updating Health Checks ........................................................................... Deleting Health Checks ............................................................................................... Updating or Deleting Health Checks when DNS Failover Is Configured ................................ Configuring Router and Firewall Rules for Amazon Route 53 Health Checks ......................... How Amazon Route 53 Determines Whether an Endpoint Is Healthy ................................... Monitoring Health Check Status and Getting Notifications ......................................................... Viewing Health Check Status and the Reason for Health Check Failures .............................. Monitoring the Latency Between Health Checkers and Your Endpoint .................................. Monitoring Health Checks Using CloudWatch ................................................................. Configuring DNS Failover .................................................................................................... How Health Checks Work in Simple Amazon Route 53 Configurations ................................. How Health Checks Work in Complex Amazon Route 53 Configurations .............................. Task List for Configuring DNS Failover ........................................................................... Configuring Failover in a Private Hosted Zone ................................................................. Options for Configuring Amazon Route 53 Active-Active and Active-Passive Failover ............. How Amazon Route 53 Averts Failover Problems ............................................................. Naming and Tagging Health Checks ...................................................................................... Tag Restrictions ......................................................................................................... Adding, Editing, and Deleting Tags for Health Checks ....................................................... Using API Versions Before 2012-12-12 .................................................................................. API Version 2013-04-01 v 177 178 179 179 180 181 182 184 186 186 189 192 196 202 206 212 215 220 224 230 232 232 233 234 235 235 236 238 239 240 241 242 242 243 243 244 245 245 246 253 253 254 254 255 255 256 257 261 262 264 269 270 271 274 275 275 275 276 Amazon Route 53 Developer Guide Authentication and Access Control ................................................................................................ Authentication ................................................................................................................... Access Control .................................................................................................................. Overview of Managing Access ............................................................................................. ARNs for Amazon Route 53 Resources ......................................................................... Understanding Resource Ownership ............................................................................. Managing Access to Resources .................................................................................... Specifying Policy Elements: Resources, Actions, Effects, and Principals .............................. Specifying Conditions in a Policy ................................................................................... Using IAM Policies for Amazon Route 53 ................................................................................ Permissions Required to Use the Amazon Route 53 Console ............................................ AWS Managed (Predefined) Policies for Amazon Route 53 ................................................ Customer Managed Policy Examples ............................................................................. Amazon Route 53 API Permissions Reference ........................................................................ Required Permissions for Actions on Public Hosted Zones ................................................ Required Permissions for Actions on Private Hosted Zones ............................................... Required Permissions for Actions on Reusable Delegation Sets ......................................... Required Permissions for Actions on Resource Record Sets .............................................. Required Permissions for Actions on Traffic Policies ......................................................... Required Permissions for Actions on Traffic Policy Instances .............................................. Required Permissions for Actions on Health Checks ......................................................... Required Permissions for Actions on Domain Registrations ............................................... Required Permissions for Actions on Tags for Hosted Zones and Health Checks ................... Required Permissions for Actions on Tags for Domains ..................................................... Capturing API Requests with CloudTrail ......................................................................................... Configuring CloudTrail for Amazon Route 53 ........................................................................... Amazon Route 53 Information in CloudTrail Log Files ............................................................... Understanding Amazon Route 53 Log File Entries ................................................................... Tagging Amazon Route 53 Resources ........................................................................................... Tutorials ................................................................................................................................... Transitioning to Latency-Based Routing in Amazon Route 53 ..................................................... Adding Another Region to Your Latency-Based Routing in Amazon Route 53 ................................ Using Latency and Weighted Resource Record Sets in Amazon Route 53 to Route Traffic to Multiple Amazon EC2 Instances in a Region ...................................................................................... Managing Over 100 Weighted Resource Record Sets in Amazon Route 53 .................................. Weighting Fault-Tolerant Multi-Record Answers in Amazon Route 53 .......................................... Limits ....................................................................................................................................... Limits on API Requests ....................................................................................................... Limits on Entities ................................................................................................................ Resources ................................................................................................................................ AWS Resources ................................................................................................................ Third-Party Tools and Libraries ............................................................................................. Graphical User Interfaces .................................................................................................... Document History ...................................................................................................................... AWS Glossary ........................................................................................................................... API Version 2013-04-01 vi 277 277 278 279 279 280 280 282 282 283 284 286 286 288 289 290 290 291 291 292 293 293 295 295 296 296 297 297 302 303 303 305 306 307 307 309 309 310 311 311 312 313 314 327 Amazon Route 53 Developer Guide Domain Registration What Is Amazon Route 53? Amazon Route 53 performs three main functions: • Domain registration – Amazon Route 53 lets you register domain names such as example.com. • Domain Name System (DNS) service – Amazon Route 53 translates friendly domains names like www.example.com into IP addresses like 192.0.2.1. Amazon Route 53 responds to DNS queries using a global network of authoritative DNS servers, which reduces latency. • Health checking – Amazon Route 53 sends automated requests over the Internet to your application to verify that it's reachable, available, and functional. You can use any combination of these functions. For example, you can use Amazon Route 53 as both your registrar and your DNS service, or you can use Amazon Route 53 as the DNS service for a domain that you registered with another domain registrar. Domain Registration If you want to create a website, you start by registering the name of your website, known as a domain name.Your domain name is the name, such as example.com, that your users enter in a browser to display your website. For more information, see Registering Domain Names Using Amazon Route 53 (p. 13). If you already registered a domain name with another registrar, you can optionally transfer the domain registration to Amazon Route 53. This isn't required to use Amazon Route 53 as your DNS service or to configure health checking for your resources. For more information, see Transferring Registration for a Domain to Amazon Route 53 (p. 27). Amazon Route 53 supports domain registration for a wide variety of generic top-level domains (such as .com or .org) and geographic top-level domains (such as .be or .us). For a complete list of supported top-level domains, see Domains that You Can Register with Amazon Route 53 (p. 41). DNS Service Amazon Route 53 is an authoritative DNS service, meaning that it routes Internet traffic to your website by translating friendly domain names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. When someone enters your domain name in a browser or sends you email, a DNS request is forwarded to the nearest Amazon Route 53 DNS server in a global API Version 2013-04-01 1 Amazon Route 53 Developer Guide Health Checking network of authoritative DNS servers. Amazon Route 53 responds with the IP address that you specified. For a list of the locations of Amazon Route 53 DNS servers, see The Amazon Route 53 Global Network section on the Amazon Route 53 Product Details page. If you register a new domain name with Amazon Route 53, we automatically configure Amazon Route 53 as the DNS service for the domain, and we create a hosted zone for your domain. You add resource record sets to the hosted zone, which define how you want Amazon Route 53 to respond to DNS queries for your domain—for example, with the IP address for a web server, the IP address for the nearest CloudFront edge location, or the IP address for an Elastic Load Balancing load balancer. For more information, see Working with Resource Record Sets (p. 178). If you registered your domain with another domain registrar, that registrar is likely providing the DNS service for your domain. You can transfer DNS service to Amazon Route 53, either with or without transferring registration for the domain. For information about transferring DNS service to Amazon Route 53, see Configuring Amazon Route 53 as Your DNS Service (p. 141). If you're using Amazon CloudFront, AWS Elastic Beanstalk, Elastic Load Balancing, or Amazon S3, you can configure Amazon Route 53 to route Internet traffic to those resources. There's no charge for the DNS queries that Amazon Route 53 routes to CloudFront, Elastic Beanstalk, Elastic Load Balancing, or Amazon S3. For information about routing queries to a variety of AWS resources, including Amazon EC2 instances, Amazon RDS databases, and Amazon WorkMail, see Routing Traffic to AWS Resources (p. 151). Health Checking Amazon Route 53 health checks monitor the health of your resources such as web servers and email servers. You can configure CloudWatch alarms for your health checks, so that you receive notification when a resource becomes unavailable. You can also configure Amazon Route 53 to route Internet traffic away from resources that are unavailable. For more information about using Amazon Route 53 to monitor the health of your resources, see Amazon Route 53 Health Checks and DNS Failover (p. 245). DNS Domain Name Format Domain names (including the names of domains, hosted zones, and resource record sets) consist of a series of labels separated by dots. Each label can be up to 63 bytes long. The total length of a domain name cannot exceed 255 bytes, including the dots. Amazon Route 53 supports any valid domain name. Naming requirements depend on whether you're registering a domain name or you're specifying the name of a hosted zone or a resource record set. See the applicable topic. Topics • Formatting Domain Names for Domain Name Registration (p. 2) • Formatting Domain Names for Hosted Zones and Resource Record Sets (p. 3) • Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3) • Formatting Internationalized Domain Names (p. 4) Formatting Domain Names for Domain Name Registration For domain name registration, a domain name can contain only the characters a-z, 0-9, and – (hyphen). You can't specify a hyphen at the beginning or end of a label. API Version 2013-04-01 2 Amazon Route 53 Developer Guide Formatting Domain Names for Hosted Zones and Resource Record Sets For information about how to register an internationalized domain name (IDN), see Formatting Internationalized Domain Names (p. 4). Formatting Domain Names for Hosted Zones and Resource Record Sets For hosted zones and resource record sets, the domain name can include any of the following printable ASCII characters (excluding spaces): • a-z • 0-9 • - (hyphen) • !"#$%&'()*+,-/:;<=>?@[\]^_`{|}~. Amazon Route 53 stores alphabetic characters as lowercase letters (a-z), regardless of how you specify them: as uppercase letters, lowercase letters, or the corresponding letters in escape codes. If your domain name contains any of the following characters, you must specify the characters by using escape codes in the format \three-digit octal code: • Characters 000 to 040 octal (0 to 32 decimal, 0x00 to 0x20 hexadecimal) • Characters 177 to 377 octal (127 to 255 decimal, 0x7F to 0xFF hexadecimal) • . (period), character 056 octal (46 decimal, 0x2E hexadecimal), when used as a character in a domain name. When using . as a delimiter between labels, you do not need to use an escape code. For example, to create a hosted zone for exämple.com, you specify ex\344mple.com. If the domain name includes any characters other than a to z, 0 to 9, - (hyphen), or _ (underscore), Amazon Route 53 API actions return the characters as escape codes.This is true whether you specify the characters as characters or as escape codes when you create the entity. The Amazon Route 53 console displays the characters as characters, not as escape codes. For a list of ASCII characters the corresponding octal codes, do an Internet search on "ascii table". To specify an internationalized domain name (IDN), convert the name to Punycode. For more information, see Formatting Internationalized Domain Names (p. 4). Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets You can create hosted zones that include * in the name. Note the following: • You can't include an * in the leftmost label in a domain name. For example, *.example.com is not allowed. • If you include * in other positions, DNS treats it as an * character (ASCII 42), not as a wildcard. You can also create resource record sets that include * in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. Note the following restrictions on using * as a wildcard in the name of resource record sets: • The * must replace the leftmost label in a domain name, for example, *.example.com. It can't replace any of the middle labels, for example, marketing.*.example.com. API Version 2013-04-01 3 Amazon Route 53 Developer Guide Formatting Internationalized Domain Names • The * must replace the entire label. For example, you can't specify *prod.example.com or prod*.example.com. • You can't use the * as a wildcard for resource records sets that have a type of NS. For resource record sets, if you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard. Formatting Internationalized Domain Names When you register a new domain name or create hosted zones and resource record sets, you can specify characters in other alphabets (for example, Cyrillic or Arabic) and characters in Chinese, Japanese, or Korean. Amazon Route 53 stores these internationalized domain names (IDNs) in Punycode, which represents Unicode characters as ASCII strings. The following example shows the Punycode representation of the internationalized domain name .asia: xn--fiqs8s.asia When you enter an IDN in the address bar of a modern browser, the browser converts it to Punycode before submitting a DNS query or making an HTTP request. How you enter an IDN depends on what you're creating (domain names, hosted zones, or resource record sets), and how you're creating it (API, SDK, or Amazon Route 53 console): • If you're using the Amazon Route 53 API or one of the AWS SDKs, you can programmatically convert a Unicode value to Punycode. For example, if you're using Java, you can convert a Unicode value to Punycode by using the toASCII method of the java.net.IDN library. • If you're using the Amazon Route 53 console to register a domain name, you can paste the name, including Unicode characters, into the name field, and the console converts the value to Punycode before saving it. • If you're using the Amazon Route 53 console to create hosted zones or resource record sets, you need to convert the domain name to Punycode before you enter the name in the applicable Name field. For information about online converters, perform an Internet search on "punycode converter". If you're registering a domain name, note that not all top-level domains (TLDs) support IDNs. For a list of TLDs supported by Amazon Route 53, see Domains that You Can Register with Amazon Route 53 (p. 41). TLDs that don't support IDNs are noted. Supported DNS Resource Record Types Amazon Route 53 supports the DNS resource record types that are listed in this section. Each record type also includes an example of how to format the Value element when you are accessing Amazon Route 53 using the API. Note For resource record types that include a domain name, enter a fully qualified domain name, for example, www.example.com. The trailing dot is optional; Amazon Route 53 assumes that the domain name is fully qualified. This means that Amazon Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical. Topics • A Format (p. 5) • AAAA Format (p. 5) API Version 2013-04-01 4 Amazon Route 53 Developer Guide A Format • CNAME Format (p. 5) • MX Format (p. 6) • NS Format (p. 6) • PTR Format (p. 6) • SOA Format (p. 7) • SPF Format (p. 7) • SRV Format (p. 7) • TXT Format (p. 8) A Format The value for an A record is an IPv4 address in dotted decimal notation. Example for the Amazon Route 53 console 192.0.2.1 Example for the Amazon Route 53 API192.0.2.1 AAAA Format The value for a AAAA record is an IPv6 address in colon-separated hexadecimal format. Example for the Amazon Route 53 console 2001:0db8:85a3:0:0:8a2e:0370:7334 Example for the Amazon Route 53 API2001:0db8:85a3:0:0:8a2e:0370:7334 CNAME Format A CNAME Value element is the same format as a domain name. Important The DNS protocol does not allow you to create a CNAME record for the top node of a DNS namespace, also known as the zone apex. For example, if you register the DNS name example.com, the zone apex is example.com. You cannot create a CNAME record for example.com, but you can create CNAME records for www.example.com, newproduct.example.com, and so on. In addition, if you create a CNAME record for a subdomain, you cannot create any other resource record sets for that subdomain. For example, if you create a CNAME for www.example.com, you cannot create any other resource record sets for which the value of the Name field is www.example.com. Amazon Route 53 also supports alias resource record sets, which allow you to route queries to a CloudFront distribution, an Elastic Beanstalk environment, an ELB load balancer, an Amazon S3 bucket that is configured as a static website, or another Amazon Route 53 resource record set. Aliases are similar in API Version 2013-04-01 5 Amazon Route 53 Developer Guide MX Format some ways to the CNAME resource record type; however, you can create an alias for the zone apex. For more information, see Choosing Between Alias and Non-Alias Resource Record Sets (p. 182). Example for the Amazon Route 53 console hostname.example.com Example for the Amazon Route 53 APIhostname.example.com MX Format The value for an MX record contains a decimal number that represents the priority of the MX record, and the domain name of an email server. Example for the Amazon Route 53 console 10 mail.example.com Example for the Amazon Route 53 API10 mail.example.com NS Format An NS record identifies the name servers for the hosted zone. The value for an NS record is the domain name of a name server. For more information about NS records, see NS and SOA Resource Record Sets that Amazon Route 53 Creates for a Public Hosted Zone (p. 169). For information about configuring white label name servers, see Configuring White Label Name Servers (p. 165). Example for the Amazon Route 53 console ns-1.example.com Example for the Amazon Route 53 APIns-1.example.com PTR Format A PTR record Value element is the same format as a domain name. Example for the Amazon Route 53 console hostname.example.com Example for the Amazon Route 53 API API Version 2013-04-01 6 Amazon Route 53 Developer Guide SOA Formathostname.example.com SOA Format A start of authority (SOA) record provides information about a domain and the corresponding Amazon Route 53 hosted zone. For information about the fields in an SOA record, see NS and SOA Resource Record Sets that Amazon Route 53 Creates for a Public Hosted Zone (p. 169). Example for the Amazon Route 53 console ns-2048.awsdns-64.net hostmaster.awsdns.com 1 1 1 1 60 Example for the Amazon Route 53 APIns-2048.awsdns-64.net hostmaster.awsdns.com 1 1 1 1 60 SPF Format SPF records were formerly used to verify the identity of the sender of email messages. However, we no longer recommend that you create resource record sets for which the record type is SPF. RFC 7208, Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1, has been updated to say, "...[I]ts existence and mechanism defined in [RFC4408] have led to some interoperability issues. Accordingly, its use is no longer appropriate for SPF version 1; implementations are not to use it." In RFC 7208, see section 14.1, The SPF DNS Record Type. Instead of an SPF record, we recommend that you create a TXT record that contains the applicable value. For more information about valid values, see Sender Policy Framework, SPF Record Syntax. Example for the Amazon Route 53 console "v=spf1 ip4:192.168.0.1/16 -all" Example for the Amazon Route 53 API"v=spf1 ip4:192.168.0.1/16 -all" SRV Format An SRV record Value element consists of four space-separated values.The first three values are decimal numbers representing priority, weight, and port. The fourth value is a domain name. For information about SRV record format, refer to the applicable documentation. Example for the Amazon Route 53 console 10 5 80 hostname.example.com Example for the Amazon Route 53 API10 5 80 hostname.example.com API Version 2013-04-01 7 Amazon Route 53 Developer Guide TXT Format TXT Format A TXT record contains a space-separated list of double-quoted strings. A single string include a maximum of 255 characters. In addition to the characters that are permitted unescaped in domain names, space is allowed in TXT strings. All other octet values must be quoted in octal form. Unlike domain names, case is preserved in character strings, meaning that Ab is not the same as aB. You can include a literal quote in a string by preceding it with a \ character. Example for the Amazon Route 53 console "This string includes \"quotation marks\"." "The last character in this string is an accented e specified in octal format: \351" Example for the Amazon Route 53 API"This string includes \"quotation marks\"." "The last character in this string is an accented e specified in octal format: \351" IP Address Ranges of Amazon Route 53 Servers Amazon Web Services (AWS) publishes its current IP address ranges in JSON format. To view the current ranges, download ip-ranges.json. For more information, see AWS IP Address Ranges in the Amazon Web Services General Reference. To find the IP address ranges that are associated with Amazon Route 53 name servers, search ip-ranges.json for the following string: "service": "ROUTE53" To find the IP address ranges that are associated with Amazon Route 53 health checkers, search ip-ranges.json for the following string: "service": "ROUTE53_HEALTHCHECKS" DNS Constraints and Behaviors DNS messaging is subject to factors that affect how you create and use hosted zones and resource record sets. This section explains these factors. Maximum Response Size To comply with DNS standards, responses sent over UDP are limited to 512 bytes in size. Responses exceeding 512 bytes are truncated and the resolver must re-issue the request over TCP. If the resolver supports EDNS0 (as defined in RFC 2671), and advertises the EDNS0 option to Amazon Route 53, Amazon Route 53 permits responses up to 4096 bytes over UDP, without truncation. Authoritative Section Processing For successful queries, Amazon Route 53 appends name server (NS) resource record sets for the relevant hosted zone to the Authority section of the DNS response. For names that are not found (NXDOMAIN API Version 2013-04-01 8 Amazon Route 53 Developer Guide Additional Section Processing responses), Amazon Route 53 appends the start of authority (SOA) resource record set (as defined in RFC 1035) for the relevant hosted zone to the Authority section of the DNS response. Additional Section Processing Amazon Route 53 appends resource record sets to the Additional section. If the records are known and appropriate, the service appends A or AAAA resource record sets for any target of an MX, CNAME, NS, or SRV record cited in the Answer section. For more information about these DNS record types, see Supported DNS Resource Record Types (p. 4). Amazon Route 53 Pricing As with other AWS products, there are no contracts or minimum commitments for using Amazon Route 53—you pay only for the hosted zones you configure and the number of queries that Amazon Route 53 answers. For more information, see Amazon Route 53 Pricing. AWS Identity and Access Management Amazon Route 53 integrates with AWS Identity and Access Management (IAM), a service that lets your organization do the following: • • • • • Create users and groups under your organization's AWS Account Easily share your AWS Account resources between the users in the account Assign unique security credentials to each user Granularly control users access to services and resources Get a single AWS bill for all users in the AWS Account For example, you can use IAM with Amazon Route 53 to control which users in your AWS Account can create a new hosted zone or change resource record sets. For information about using Amazon Route 53 with IAM, see Authentication and Access Control for Amazon Route 53 (p. 277). For general information about IAM, go to: • Identity and Access Management (IAM) • IAM Getting Started Guide • IAM User Guide API Version 2013-04-01 9 Amazon Route 53 Developer Guide The Amazon Route 53 Console Getting Started with Amazon Route 53 Getting started with Amazon Route 53 is easy: create an AWS account if you don't already have one, register a domain, and create some resource record sets, all in the Amazon Route 53 console. For a detailed explanation of the process, see Registering a New Domain (p. 14). Note If you want to migrate an existing domain or subdomain to use Amazon Route 53 as the DNS service, see Configuring Amazon Route 53 as Your DNS Service (p. 141). You can access Amazon Route 53 using the Amazon Route 53 console, the Amazon Route 53 API, AWS SDKs, or the AWS command-line interface. For more information, see the applicable topic. Topics • The Amazon Route 53 Console (p. 10) • The Amazon Route 53 API (p. 11) • AWS SDKs that Support Amazon Route 53 (p. 11) • AWS Command Line Interface Support for Amazon Route 53 (p. 11) • AWS Tools for Windows PowerShell Support for Amazon Route 53 (p. 12) The Amazon Route 53 Console You can use the Amazon Route 53 console to create, delete, and list Amazon Route 53 hosted zones, resource record sets, and health checks. Note Some ad-blocking plugins for web browsers interfere with Amazon Route 53 console operations, which can cause the console to behave unpredictably. If you installed an ad-blocking plugin for your browser, we recommend that you add the URL for the Amazon Route 53 console, https:// console.aws.amazon.com/route53/home, to the whitelist for the plugin. To access the Amazon Route 53 console • Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. API Version 2013-04-01 10 Amazon Route 53 Developer Guide The Amazon Route 53 API To display help for the Amazon Route 53 console • To display help for a field, move the cursor over the field name. • To display help for the current page in the console, click the help icon, the Amazon Route 53 console. in the upper right corner of The Amazon Route 53 API The Amazon Route 53 API is a REST API that you can use to create, delete, and list Amazon Route 53 hosted zones and resource record sets. (When using the API, you change a resource record set by deleting the existing one and creating a new one.) For information about the Amazon Route 53 API, see the Amazon Route 53 API Reference. For information about how to use the API, including how to authenticate REST requests, see Making API Requests in the Amazon Route 53 API Reference. AWS SDKs that Support Amazon Route 53 The following AWS SDKs include a client for Amazon Route 53: • • • • • AWS SDK for Java version 1.2.13 and later. For more information, see AWS SDK for Java. AWS SDK for .NET version 1.4.1 and later. For more information, see AWS SDK for .NET. AWS SDK for PHP version 2.0.3 and later. For more information, see AWS SDK for PHP. AWS SDK for Python version 2.0 and later. For more information, see boto on github. AWS SDK for Ruby version 1.6.0 and later. For more information, see AWS SDK for Ruby. AWS Command Line Interface Support for Amazon Route 53 The AWS command line interface (AWS CLI) supports Amazon Route 53. For information about getting set up to use the AWS CLI, see the AWS Command Line Interface User Guide. For information about AWS CLI commands for Amazon Route 53, see route53 Available Commands in the AWS Command Line Interface Reference. API Version 2013-04-01 11 Amazon Route 53 Developer Guide AWS Tools for Windows PowerShell Support for Amazon Route 53 AWS Tools for Windows PowerShell Support for Amazon Route 53 AWS Tools for Windows PowerShell supports Amazon Route 53. For more information, see AWS Tools for Windows PowerShell Documentation. API Version 2013-04-01 12 Amazon Route 53 Developer Guide Registering Domain Names Using Amazon Route 53 When you want to get a new domain name, such as the example.com part of the URL http://example.com, you can register it with Amazon Route 53.You can also transfer the registration for existing domains from other registrars to Amazon Route 53 or transfer the registration for domains that you register with Amazon Route 53 to another registrar. The procedures in this chapter explain how to register and transfer domains using the Amazon Route 53 console, and how to edit domain settings and view domain status. If you're only registering and managing a few domains, using the console is the easiest way. If you need to register and manage a lot of domains, you might prefer to use the Amazon Route 53 API or one of the AWS SDKs. For more information about API actions for domain registration, see Actions on Domain Registrations in the Amazon Route 53 API Reference. For a list of the AWS SDKs that support Amazon Route 53 and for links to the corresponding SDK pages on the AWS website, see AWS SDKs that Support Amazon Route 53 (p. 11). Note If you are using a language for which an AWS SDK exists, use the SDK rather than trying to work your way through the APIs. The SDKs make authentication simpler, integrate easily with your development environment, and provide easy access to Amazon Route 53 commands. Domain name registration services are provided under our Domain Name Registration Agreement. Topics • Registering and Updating Domains (p. 14) • Privacy Protection for Contact Information (p. 22) • Renewing Registration for a Domain (p. 23) • Extending the Registration Period for a Domain (p. 26) • • • • Transferring Domains (p. 27) Configuring DNSSEC for a Domain (p. 35) Getting a Domain Name Unsuspended (p. 39) Deleting a Domain Name Registration (p. 40) • Downloading a Domain Billing Report (p. 40) • Domains that You Can Register with Amazon Route 53 (p. 41) API Version 2013-04-01 13 Amazon Route 53 Developer Guide Registering and Updating Domains Registering and Updating Domains For information about registering new domains and updating the settings in existing domains, see the applicable topic. Topics • Registering a New Domain (p. 14) • Values that You Specify When You Register a Domain or Edit Domain Settings (p. 16) • Values that Amazon Route 53 Returns When You Register or Update a Domain (p. 19) • Viewing the Status of a Domain Registration (p. 20) • Adding Resource Record Sets for a New Domain (p. 20) • Editing Contact Information and Other Settings for a Domain (p. 20) • Adding or Changing Name Servers and Adding or Changing Glue Records (p. 22) Registering a New Domain When you want to register a new domain using the Amazon Route 53 console, perform the following procedure. Important When you register a domain with Amazon Route 53, we automatically create a hosted zone for the domain to make it easier for you to use Amazon Route 53 as the DNS service provider for your new domain. This hosted zone is where you store information about how to route traffic for your domain, for example, to an Amazon EC2 instance or a CloudFront distribution. We charge a small monthly fee for the hosted zone in addition to the annual charge for the domain registration. If you don't want to use your domain right now, you can delete the hosted zone; if you delete it within 12 hours of registering the domain, there won't be any charge for the hosted zone on your AWS bill. We also charge a small fee for the DNS queries that we receive for your domain. For more information, see Amazon Route 53 Pricing. To register a new domain using Amazon Route 53 1. 2. 3. By default, you can register up to five domains. If you want to register more than five domains, open a case with the Support Center, and request an increase in the number of domains that you can register. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. If you're new to Amazon Route 53, under Domain Registration, choose Get Started Now. If you're already using Amazon Route 53, in the navigation pane, choose Registered Domains. 4. 5. Choose Register Domain. Enter the domain name that you want to register, and choose Check to find out whether the domain name is available. 6. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). If the domain is available, choose Add to cart. The domain name appears in your shopping cart. 7. The Availability for popular TLDs list shows other domains that you might want to register instead of your first choice (if it's not available) or in addition to your first choice. Choose Add to cart for each additional domain that you want to register, up to a maximum of five domains. In the shopping cart, choose the number of years that you want to register the domain for. 8. To register more domains, repeat steps 5 through 7. API Version 2013-04-01 14 Amazon Route 53 Developer Guide Registering a New Domain 9. Choose Continue. 10. On the Contact Details for Your n Domains page, enter contact information for the domain registrant, administrator, and technical contacts. The values that you enter here are applied to all of the domains that you're registering. By default, we use the same information for all three contacts. If you want to enter different information for one or more contacts, change the value of My Registrant, Administrative, and Technical Contacts are all the same to No. If you're registering more than one domain, we use the same contact information for all of the domains. For more information, see Values that You Specify When You Register a Domain or Edit Domain Settings (p. 16). 11. For some top-level domains (TLDs), we're required to collect additional information. For these TLDs, enter the applicable values after the Postal/Zip Code field. 12. Choose whether you want to hide your contact information from WHOIS queries. For more information, see the following topics: • Privacy Protection for Contact Information (p. 22) • Domains that You Can Register with Amazon Route 53 (p. 41) 13. Choose Continue. 14. Review the information that you entered, read the terms of service, and select the check box to confirm that you've read the terms of service. 15. Choose Complete Purchase. We send an email to the registrant for the domain to verify that the registrant contact can be reached at the email address that you specified. (This is an ICANN requirement.) The email comes from one of the following email addresses: • noreply@registrar.amazon.com – for TLDs registered by Amazon Registrar. • noreply@domainnameverification.net – for TLDs registered by our registrar associate, Gandi. To determine who the registrar is for your TLD, see Domains that You Can Register with Amazon Route 53 (p. 41). Important The registrant contact must follow the instructions in the email to confirm that the email was received, or we must suspend the domain as required by ICANN. When a domain is suspended, it's not accessible on the Internet. You'll receive another email when your domain registration has been approved. To determine the current status of your request, see Viewing the Status of a Domain Registration (p. 20). 16. When domain registration is complete, your next step depends on whether you want to use Amazon Route 53 or another DNS service as the DNS service for the domain: • Amazon Route 53 – Create resource record sets to tell Amazon Route 53 how you want to route traffic for the domain. For more information, see Adding Resource Record Sets for a New Domain (p. 20). • Another DNS service – Configure your new domain to route DNS queries to the other DNS service. Perform the procedure To update the name servers for your domain when you want to use another DNS service (p. 16). API Version 2013-04-01 15 Amazon Route 53 Developer Guide Values that You Specify When You Register a Domain or Edit Domain Settings To update the name servers for your domain when you want to use another DNS service 1. Use the process that is provided by your DNS service to get the name servers for the domain. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Registered Domains. Choose the name of the domain that you want to configure to use another DNS service. 3. 4. 5. 6. Choose Add/Edit Name Servers. Change the names of the name servers to the name servers that you got from your DNS service in step 1. 7. 8. Choose Update. (Optional) Delete the hosted zone that Amazon Route 53 created automatically when you registered your domain. This prevents you from being charged for a hosted zone that you aren't using. a. In the navigation pane, choose Hosted Zones. b. c. d. Select the radio button for the hosted zone that has the same name as your domain. Choose Delete Hosted Zone. Choose Confirm to confirm that you want to delete the hosted zone. Values that You Specify When You Register a Domain or Edit Domain Settings When you register a domain, transfer domain registration to Amazon Route 53, or edit the settings for a domain, you specify the values that are described in this topic. If you change contact information for the domain, we send an email notification to the registrant contact about the change. This email comes from route53-dev-admin@amazon.com. For most changes, the registrant contact is not required to respond. For changes to contact information that also constitute a change in ownership, we send the registrant contact an additional email. ICANN requires that the registrant contact confirm receiving the email. For more information, see First Name, Last Name and Organization later in this section. If you're registering more than one domain, Amazon Route 53 uses the values that you specify for all of the domains that are in your shopping cart. My Registrant, Administrative, and Technical contacts are all the same Specifies whether you want to use the same contact information for the registrant of the domain, the administrative contact, and the technical contact. Contact Type Category for this contact. If you choose an option other than Person, you must enter an organization name. For some TLDs, the privacy protection available depends on the value that you choose for Contact Type. For the privacy protection settings for your TLD, see Domains that You Can Register with Amazon Route 53 (p. 41). First Name, Last Name The first and last names of the contact. API Version 2013-04-01 16 Amazon Route 53 Developer Guide Values that You Specify When You Register a Domain or Edit Domain Settings When the contact type is Person and you change the First Name and/or Last Name fields for the registrant contact, you change the owner of the domain. ICANN requires that we email the registrant contact to get approval. The email comes from one of the following email addresses: TLDs Email address that approval email comes from TLDs registered by Amazon Registrar noreply@registrar.amazon.com .com.au and .net.au domains@tppwholesale.com.au .fr nic@nic.fr (The email is sent both to the current registrant contact and the new registrant contact.) All others noreply@domainnameverification.net To determine who the registrar is for your TLD, see Domains that You Can Register with Amazon Route 53 (p. 41). Important The registrant contact must follow the instructions in the email to confirm that the email was received, or we must suspend the domain as required by ICANN. When a domain is suspended, it's not accessible on the Internet. If you change the email address of the registrant contact, this email is sent to the former email address and the new email address for the registrant contact. Some TLD registrars charge a fee for changing the domain owner. When you change one of these values, the Amazon Route 53 console displays a message that tells you whether there is a fee. Organization The organization that is associated with the contact, if any. For the registrant and administrative contacts, this is typically the organization that is registering the domain. For the technical contact, this might be the organization that manages the domain. When the contact type is any value except Person and you change the Organization field for the registrant contact, you change the owner of the domain. ICANN requires that we email the registrant contact to get approval. The email comes from one of the following email addresses: TLDs Email address that approval email comes from TLDs registered by Amazon Registrar noreply@registrar.amazon.com .com.au and .net.au domains@tppwholesale.com.au .fr nic@nic.fr (The email is sent both to the current registrant contact and the new registrant contact.) All others noreply@domainnameverification.net To determine who the registrar is for your TLD, see Domains that You Can Register with Amazon Route 53 (p. 41). If you change the email address of the registrant contact, this email is sent to the former email address and the new email address for the registrant contact. API Version 2013-04-01 17 Amazon Route 53 Developer Guide Values that You Specify When You Register a Domain or Edit Domain Settings Some TLD registrars charge a fee for changing the domain owner. When you change the value of Organization, the Amazon Route 53 console displays a message that tells you whether there is a fee. Email The email address for the contact. If you change the email address for the registrant contact, we send a notification email to the former email address and the new email address.This email comes from route53-dev-admin@amazon.com. Phone The phone number for the contact: • If you're entering a phone number for locations in the United States or Canada, enter 1 in the first field and the 10-digit area code and phone number in the second field. • If you're entering a phone number for any other location, enter the country code in the first field, and enter the rest of the phone number in the second field. See CountryCode.org for a list of phone country codes, for example, 423 for Liechtenstein. Address 1 The street address for the contact. Address 2 Additional address information for the contact, for example, apartment number or mail stop. Country The country for the contact. State The state or province for the contact, if any. City The city for the contact. Postal/Zip code The postal or zip code for the contact. Fields for selected top-level domains Some top-level domains require that you specify additional values. Privacy Protection Whether you want to conceal your contact information from WHOIS queries. If you select Hide contact information, WHOIS ("who is") queries will return contact information for the registrar or the value "Protected by policy." If you select Don't hide contact information, you'll get more email spam at the email address that you specified. Anyone can send a WHOIS query for a domain and get back all of the contact information for that domain. The WHOIS command is available in many operating systems, and it's also available as a web application on many websites. Important Although there are legitimate users for the contact information associated with your domain, the most common users are spammers, who target domain contacts with unwanted email and bogus offers. In general, we recommend that you choose Hide contact information for Privacy Protection. For more information, see the following topics: • Privacy Protection for Contact Information (p. 22) • Domains that You Can Register with Amazon Route 53 (p. 41) Auto Renew (Only available when editing domain settings) Whether you want Amazon Route 53 to automatically renew the domain before it expires. The registration fee is charged to your AWS account. For more information, see Renewing Registration for a Domain (p. 23). API Version 2013-04-01 18 Amazon Route 53 Developer Guide Values that Amazon Route 53 Returns When You Register or Update a Domain Caution If you disable automatic renewal, registration for the domain will not be renewed when the expiration date passes, and you might lose control of the domain name. The period during which you can renew a domain name varies by top-level domain (TLD). For an overview about renewing domains, see Renewing Registration for a Domain (p. 23). For information about extending domain registration for a specified number of years, see Extending the Registration Period for a Domain (p. 26). Values that Amazon Route 53 Returns When You Register or Update a Domain When you register your domain with Amazon Route 53, Amazon Route 53 returns the following values in addition to the values that you specified. Registered on The date on which the domain was originally registered with Amazon Route 53. Expires on The date and time on which the current registration period expires, in Greenwich Mean Time (GMT). The registration period is typically one year, although the registries for some top-level domains (TLDs) have longer registration periods. For the registration and renewal period for your TLD, see Domains that You Can Register with Amazon Route 53 (p. 41). For most TLDs, you can extend the registration period by up to ten years. For more information, see Extending the Registration Period for a Domain (p. 26). Domain name status code The current status of the domain. ICANN, the organization that maintains a central database of domain names, has developed a set of domain name status codes (also known as EPP status codes) that tell you the status of a variety of operations on a domain name, for example, registering a domain name, transferring a domain name to another registrar, renewing the registration for a domain name, and so on. All registrars use this same set of status codes. For a current list of domain name status codes and an explanation of what each code means, go to the ICANN website and search for epp status codes. (Search on the ICANN website; web searches sometimes return an old version of the document.) Transfer lock Whether the domain is locked to reduce the possibility of someone transferring your domain to another registrar without your permission. If the domain is locked, the value of Transfer Lock is Enabled. If the domain is not locked, the value is Disabled. Auto renew Whether Amazon Route 53 will automatically renew the registration for this domain shortly before the expiration date. Authorization code The code that is required if you want to transfer registration of this domain to another registrar. An authorization code is only generated when you request it. For information about transferring a domain to another registrar, see Transferring a Domain from Amazon Route 53 to Another Registrar (p. 33). Name servers The Amazon Route 53 servers that respond to DNS queries for this domain. We recommend that you don't delete Amazon Route 53 name servers. For information about adding, changing, or deleting name servers, see Editing Contact Information and Other Settings for a Domain (p. 20). API Version 2013-04-01 19 Amazon Route 53 Developer Guide Viewing the Status of a Domain Registration Viewing the Status of a Domain Registration ICANN, the organization that maintains a central database of domain names, has developed a set of domain name status codes (also known as EPP status codes) that tell you the status of a variety of operations, for example, registering a domain name, transferring a domain name to another registrar, renewing the registration for a domain name, and so on. All registrars use this same set of status codes. To view the status code for your domains, perform the following procedure. To view the status of a domain 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Registered Domains. 3. 4. Choose the name of your domain. For the current status of your domain, see the value of the Domain name status field. For a current list of domain name status codes and an explanation of what each code means, go to the ICANN website and search for epp status codes. (Search on the ICANN website; web searches sometimes return an old version of the document.) Adding Resource Record Sets for a New Domain As soon as you receive email confirmation that we successfully registered a domain for you, you can start to create resource record sets for the domain. These resource record sets tell Amazon Route 53 how you want to route queries for your domain. For example, when someone enters your domain name in a browser and that query makes its way to Amazon Route 53, do you want Amazon Route 53 to respond to the query with the IP address of a web server in your data center or with the name of an ELB load balancer? When you register your domain with Amazon Route 53, we automatically create a hosted zone for the new domain. This hosted zone, which has the same name as your domain, is the container in which Amazon Route 53 will store the resource record sets for your domain. For more information about how to create resource record sets, see Working with Resource Record Sets (p. 178). Editing Contact Information and Other Settings for a Domain When you want to edit settings for a domain that you registered using Amazon Route 53, perform the following procedure. Note For most top-level domains (TLDs), you can change the expiration date for a domain. For more information, see Extending the Registration Period for a Domain (p. 26). To edit contact information and other settings for a domain 1. 2. 3. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Registered Domains. Choose the name of the domain that you want to edit settings for. 4. Edit the applicable values: API Version 2013-04-01 20 Amazon Route 53 Developer Guide Editing Contact Information and Other Settings for a Domain Edit Contacts To edit contact information, including the privacy-protection setting for a contact, choose Edit Contacts. For more information, see Values that You Specify When You Register a Domain or Edit Domain Settings (p. 16). Transfer Lock To change whether the domain is locked to prevent an unauthorized transfer to another registrar, choose Enable (to lock the domain) or Disable (to unlock the domain). Auto Renew To change whether Amazon Route 53 automatically renews the registration for your domain before the expiration date, choose Enable (to turn on automatic renewal) or Disable (to turn off automatic renewal). We strongly recommend that you choose Enable to ensure that you retain ownership of your domain. Add/Edit Name Servers To edit name servers, choose Add/Edit Name Servers and enter the applicable values. Then choose Update. For more information about editing name servers, see Adding or Changing Name Servers and Adding or Changing Glue Records (p. 22). 5. Choose Save. When you change some values, you change the owner of the domain: • When the contact type is Person and you change the First Name and/or Last Name fields for the registrant contact, you change the owner of the domain. • When the contact type is any other value and you change the Organization field for the registrant contact, you change the owner of the domain. ICANN requires that we email the registrant contact to get approval. The email comes from one of the following email addresses: TLDs Email address that approval email comes from TLDs registered by Amazon Registrar noreply@registrar.amazon.com .com.au and .net.au domains@tppwholesale.com.au .fr nic@nic.fr (The email is sent both to the current registrant contact and the new registrant contact.) All others noreply@domainnameverification.net To determine who the registrar is for your TLD, see Domains that You Can Register with Amazon Route 53 (p. 41). Important Within 15 days, the registrant contact must follow the instructions in the email to confirm that the email was received, or we must suspend the domain as required by ICANN. When a domain is suspended, it's not accessible on the Internet. API Version 2013-04-01 21 Amazon Route 53 Developer Guide Adding or Changing Name Servers and Adding or Changing Glue Records Adding or Changing Name Servers and Adding or Changing Glue Records In general, you don't need to change the name servers that Amazon Route 53 assigned to your domain and to the corresponding hosted zone when you registered the domain. If you do need to add or change name servers, perform the following procedure. You can also use this procedure to specify glue records (IP addresses) when you're configuring white label name servers—name servers that have the same domain name as the hosted zone. For more information about configuring white label name servers (also known as vanity name servers or private name servers), see Configuring White Label Name Servers (p. 165). Caution If you change name servers to the wrong values, specify the wrong IP addresses in glue records, or delete one or more name servers without specifying new ones, your website or application might become unavailable on the Internet. To add or change name servers and glue records 1. .fi domains only – Order an authorization key from the Finnish Communications Regulatory Authority, the registry for .fi domains. You use the authorization key later in this process. For more information, see Ordering of authorization key on the Finnish Communications Regulatory Authority website. Important The Finnish Communications Regulatory Authority mails the authorization key to you, which can take two weeks or more. Do not continue with this procedure until you have the key. 2. 3. 4. 5. 6. 7. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Registered Domains. Choose the name of the domain for which you want to edit settings. Choose Add/Edit Name Servers. .fi domains only – In the Authorization Key field, type the authorization key that you got in step 1. In the Edit Name Servers dialog box, you can do the following: • Add one or more name servers. • Replace the name of an existing name server. • Add glue records or change the IP addresses in glue records. If you add a name server or change the name of a name server and specify a name that is a subdomain of the domain that you're updating (for example, ns1.example.com in the domain example.com), Amazon Route 53 prompts you to specify one or more IP addresses for the name server. These IP addresses are known as glue records. • Delete a name server. Choose the x icon on the right side of the field for that name server. 8. Choose Update. Privacy Protection for Contact Information When you register a domain with Amazon Route 53, we enable privacy protection by default for all the contacts for the domain. This typically hides most of your contact information from WHOIS ("Who is") queries and reduces the amount of spam that you receive. Your contact information is replaced either with contact information for the registrar or with the phrase "Protected by policy." API Version 2013-04-01 22 Amazon Route 53 Developer Guide Renewing Registration for a Domain Important You can hide contact information only when the domain is locked to prevent transfers. If you're transferring the domain to or from Amazon Route 53, you must disable privacy protection, so your contact information is visible in WHOIS queries.You can re-enable privacy protection when the transfer is complete. You can choose to disable privacy protection for some or all contacts for a domain. If you do, anyone can send a WHOIS query for the domain and, for most top-level domains (TLDs), get all the contact information that you provided when you registered the domain, including name, address, phone number, and email address. The WHOIS command is widely available; it's included in many operating systems, and it's also available as a web application on many websites. The information that you can hide from WHOIS queries depends on two main factors: The registry for the top level domain Some TLD registries hide all contact information automatically, some allow you to choose to hide all contact information, some allow you to hide only some information, and some do not allow you to hide any information. For example, most registries allow you to hide your address, phone number, and email address. Only a few also allow you to hide your name. The registrar When you register a domain with Amazon Route 53 or transfer a domain to Amazon Route 53, the registrar for the domain is either Amazon Registrar or our registrar associate, Gandi. Amazon Registrar and Gandi hide different information by default: • Amazon Registrar – By default, all of your contact information is hidden. • Gandi – By default, all of your contact information is hidden except first and last name, and organization name. However, regulations for the TLD registry take precedence. To find out what information is hidden for the TLD for your domain, see Domains that You Can Register with Amazon Route 53 (p. 41). For information about how to change the privacy settings for the contacts for a domain, see Editing Contact Information and Other Settings for a Domain (p. 20). Renewing Registration for a Domain When you register a domain with Amazon Route 53 or you transfer domain registration to Amazon Route 53, we configure the domain to renew automatically. The automatic renewal period is typically one year, although the registries for some top-level domains (TLDs) have longer renewal periods. For the registration and renewal period for your TLD, see Domains that You Can Register with Amazon Route 53 (p. 41). For most top-level domains (TLDs), you can change the expiration date for a domain. For more information, see Extending the Registration Period for a Domain (p. 26). Caution If you turn off automatic renewal, be aware of the following effects on your domain: • Some TLD registries delete domains even before the expiration date if you don't renew early enough. We strongly recommend that you leave automatic renewal enabled if you want to keep a domain name. • We also strongly recommend that you not plan to re-register a domain after it has expired. Some registrars allow others to register domains immediately after the domains expire, so you might not be able to re-register before the domain is taken by someone else. • Some registries charge a large premium to restore expired domains. • On or near the expiration date, the domain becomes unavailable on the Internet. API Version 2013-04-01 23 Amazon Route 53 Developer Guide Renewing Registration for a Domain To determine whether automatic renewal is enabled for your domain, see Editing Contact Information and Other Settings for a Domain (p. 20). If automatic renewal is enabled, here's what happens: 45 days before expiration We send an email to the registrant contact that tells you that automatic renewal is currently enabled and gives instructions about how to disable it. Keep your registrant contact email address current so you don't miss this email. 35 or 30 days before expiration For all domains except .com.ar, .com.br, and .jp domains, we renew domain registration 35 days before the expiration date so we have time to resolve any issues with your renewal before the domain name expires. The registries for .com.ar, .com.br, and .jp domains require that we renew the domains no more than 30 days before expiration. You'll get a renewal email from Gandi, our registrar associate, 30 days before expiration, which is the same day that we renew your domain if you have automatic renewal enabled. Note When we renew your domain, we send you an email to let you know that we renewed it. If the renewal failed, we send you an email to explain why it failed. If automatic renewal is disabled, here's what happens as the expiration date for a domain name approaches: 45 days before expiration We send an email to the registrant contact for the domain that tells you that automatic renewal is currently disabled and gives instructions about how to enable it. Keep your registrant contact email address current so you don't miss this email. 30 days and 7 days before expiration If automatic renewal is disabled for the domain, ICANN, the governing body for domain registration, requires the registrar to send you an email. The email comes from one of the following email addresses: • noreply@registrar.amazon.com – For domains for which the registrar is Amazon Registrar. • noreply@domainnameverification.net – For domains for which the registrar is our registrar associate, Gandi. To determine who the registrar is for your TLD, see Domains that You Can Register with Amazon Route 53 (p. 41). If you enable automatic renewal less than 30 days before expiration, and the renewal period has not passed, we renew the domain within 24 hours. Caution Some TLD registries stop allowing renewals as much as 25 days before the expiration date, and many don't allow renewal after the expiration date. In addition, processing a renewal can take up to a day. If you delay too long before enabling automatic renewal, the domain might expire before renewal can be processed, and you might lose the domain. If the expiration date is approaching, we recommend that you manually extend the expiration date for the domain. For more information, see Extending the Registration Period for a Domain (p. 26). For more information about renewal periods, go to the "Renewal, restoration, and deletion times" table on the Renewing a Domain Name page on the Gandi website. After the expiration date Most domains are held by the registrar for a brief time after expiration, so you might be able to renew an expired domain after the expiration date, but we strongly recommend that you keep automatic API Version 2013-04-01 24 Amazon Route 53 Developer Guide Renewing or Restoring an Expired Domain renewal enabled if you want to keep your domain. For information about trying to renew a domain after the expiration date, see Renewing or Restoring an Expired Domain (p. 25). Renewing or Restoring an Expired Domain If you don't renew a domain before the expiration date, some registries for top-level domains (TLDs) allow you to do one or both of the following: • Renew the expired domain during a late-renewal period • Restore the domain after the late-renewal period passes and before it becomes available for others to register To try to renew or restore domain registration for a domain that has expired 1. Determine whether the TLD registry for the domain supports renewing or restoring expired domains. a. b. Go to the "Renewal, restoration, and deletion times" table on the Renewing a Domain Name page on the Gandi website. Find the TLD for your domain, and review the applicable values: • Determine whether the registry supports renewing or restoring an expired domain. • If renewal or restoration is supported, determine whether the domain is still within the renewal or restoration period. The list includes some TLDs that Amazon Route 53 doesn't support. Important We forward renewal and restoration requests to Gandi, which processes the requests during business hours Monday through Friday. Gandi is based in Paris, where the time is UTC/GMT +1 hour. As a result, depending on when you submit your request, in rare cases it can take a week or more for a request to be processed. 2. Get the expiration date for the domain: a. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. b. c. In the navigation pane, choose Registered Domains. Choose the name of the domain that you want to view the expiration date for. d. Check the value of Expires on. 3. Using the AWS account that the domain was registered to, sign in to the AWS Support Center. 4. Specify the following values: Regarding Accept the default value of Account and Billing Support. Service Accept the default value of Billing. Category Accept the default value of Domain name registration issue. Subject Type Renew an expired domain. API Version 2013-04-01 25 Amazon Route 53 Developer Guide Extending the Registration Period for a Domain Description Provide the following information: • The domain that you want to renew • The account ID of the AWS account that the domain was registered to Contact method Specify a contact method and, if you choose Phone, enter the applicable values. 5. Choose Submit. 6. When we learn whether we were able to renew or restore your expired domain, a customer support representative will contact you. In addition, if we were able to renew or restore your domain, the expiration date in the console will change to the new date. Extending the Registration Period for a Domain When you register a domain with Amazon Route 53 or you transfer domain registration to Amazon Route 53, we configure the domain to renew automatically. The automatic renewal period is typically one year, although the registries for some top-level domains (TLDs) have longer renewal periods. All generic TLDs and many country-code TLDs let you extend domain registration for longer periods, typically up to ten years in one-year increments. To determine whether you can extend the registration period for your domain, see Domains that You Can Register with Amazon Route 53 (p. 41). If longer registration periods are allowed, perform the following procedure. Note Some TLD registries have restrictions on when you can renew or extend a domain registration, for example, the last two months before the domain expires. Even if the registry allows extending the registration period for a domain, they might not allow it at the current number of days before the domain expires. To extend the registration period for your domain 1. 2. 3. Open the Amazon Route 53 console at https://console.aws.amazon.com/route53/. In the navigation pane, choose Registered Domains. Choose the name of the domain for which you want to extend the registration period. The Expires on field lists the current expiration date for the domain. If the registry for the TLD allows extending the registration period, an extend link appears on the right side of the expiration date. 4. 5. 6. Choose extend. In the Extend registration for list, choose the number of years that you want to extend the registration for. The list shows all the current options based on the current expiration date and the maximum registration period allowed by the registry for this domain. The New expiration date field shows the expiration date with that number of years applied. Choose Extend domain registration. When we receive confirmation from the registry that they've updated your expiration date, we send you an email to confirm that we've changed the expiration date. API Version 2013-04-01 26 Amazon Route 53 Developer Guide Transferring Domains Transferring Domains You can transfer domain registration from another registrar to Amazon Route 53, from one AWS account to another, or from Amazon Route 53 to another registrar. Topics • Transferring Registration for a Domain to Amazon Route 53 (p. 27) • Viewing the Status of a Domain Transfer (p. 30) • How Transferring a Domain to Amazon Route 53 Affects the Expiration Date for Your Domain Registration (p. 32) • Transferring a Domain to a Different AWS Account (p. 32) • Transferring a Domain from Amazon Route 53 to Another Registrar (p. 33) Transferring Registration for a Domain to Amazon Route 53 When you transfer a domain name from another registrar to Amazon Route 53, you need to get some information from your current registrar and enter it on the Amazon Route 53 console. For information about how transferring your domain affects the current expiration date, see How Transferring a Domain to Amazon Route 53 Affects the Expiration Date for Your Domain Registration (p. 32). By default, Amazon Route 53 automatically renews registration for the domain. For information about changing this setting, see Editing Contact Information and Other Settings for a Domain (p. 20). When you transfer a domain to Amazon Route 53, the transfer fee that we apply to your AWS account depends on the top-level domain (TLD). For more information, see Amazon Route 53 Pricing. Transfer Requirements for Top-Level Domains Registries for top-level domains (such as .com) have requirements for transferring domains. Requirements vary among TLDs, but the following requirements are typical: • You must have registered the domain with the current registrar at least 60 days ago. • If the registration for a domain name expired and had to be restored, it must have been restored at least 60 days ago. • You must have transferred registration for the domain to the current registrar at least 60 days ago. • The domain cannot have any of the following domain name status codes: • pendingDelete • pendingTransfer • redemptionPeriod • clientTransferProhibited • Some registries block transfers until changes, such as ownership changes, are complete. For a current list of domain name status codes and an explanation of what each code means, go to the ICANN website and search for epp status codes. (Search on the ICANN website; web searches sometimes return an old version of the document.) API Version 2013-04-01 27 Amazon Route 53 Developer Guide Transferring Domain Registration to Amazon Route 53 Transferring a Domain to Amazon Route 53 To transfer a domain to Amazon Route 53, perform the following procedure. To transfer a domain to Amazon Route 53 from another registrar 1. 2. Confirm that Amazon Route 53 supports the top-level domain (for example, .com or .org) for the domain name that you want to transfer. For more information, see Domains that You Can Register with Amazon Route 53 (p. 41). If your top-level domain isn't on the list, you can't currently transfer the domain name to Amazon Route 53. If the registrar for your domain is also the DNS service provider for the domain, we highly recommend that you consider transferring your DNS service to Amazon Route 53 or another DNS service provider before you transfer your registration. Some registrars provide free DNS service when you purchase a domain registration. When you transfer the registration, the previous registrar will not renew your domain registration and might disable DNS service for the domain as soon as they receive transfer the request from Amazon Route 53. For more information, see Migrating DNS Service for an Existing Domain to Amazon Route 53 (p. 141). Caution If the registrar for your domain is also the DNS service provider for the domain and you don't transfer DNS service to another provider, your website, email, and the web applications associated with the domain might become unavailable. The Amazon Route 53 DNS service doesn't support DNSSEC. If DNSSEC is configured for the domain, you must do one of the following: • Delete DNSSEC keys for the domain. • Use a DNS service provider that supports DNSSEC and that won't cancel your DNS service when you transfer the domain to Amazon Route 53. 3. For more information, see Configuring DNSSEC for a Domain (p. 35). Using the method provided by your current registrar, perform the following tasks for each domain that you want to transfer: • Unlock the domain so it can be transferred. • Disable privacy protection for the domain. This makes your contact information visible to WHOIS queries. • Confirm that the email for the registrant for your domain is up to date. That's the email address at which we'll contact you with information about the progress of the transfer. • Confirm that the domain status allows you to transfer the domain. For more information, see Transfer Requirements for Top-Level Domains (p. 27). • Get an authorization code, which authorizes us to request that registration for the domain be transferred to Amazon Route 53. You'll enter this code in the Amazon Route 53 console later in the process. .co.uk, .me.uk, and .org.uk domains If you're transferring a .co.uk, .me.uk, or .org.uk domain to Amazon Route 53, you don't need to specify an authorization code. Instead, use the method provided by your current domain registrar to update the value of the IPS tag for the domain to GANDI, all uppercase. (An IPS tag is required by Nominet, the registry for .uk domain names.) If your registrar will not change the value of the IPS tag, contact Nominet. .jp domains If you're transferring a .jp domain to Amazon Route 53, you don't need to specify an authorization code. Instead, use the method provided by your current domain registrar to update the value of the AGNT code to AGNT-1744, all uppercase. API Version 2013-04-01 28 Amazon Route 53 Developer Guide Transferring Domain Registration to Amazon Route 53 .ru domains If you're transferring a .ru domain to Amazon Route 53, you don't need to specify an authorization code. Instead, use the method provided by RU-Center, the registry for .ru domains, to update the Partner Handle for the domain to 5427/NIC-REG. For more information, see the Registrar's or Registrant's Transfer page on the RU-Center website. 4. If you're already using Amazon Route 53 as the DNS service provider for the domains that you want to transfer, get the names of the Amazon Route 53 name servers for each of the corresponding hosted zones. For more information, see Getting the Name Servers for a Public Hosted Zone (p. 163). Then go to the next step. If you want to continue using another DNS service provider for the domains that you're transferring, use the method provided by your current DNS service provider to get the names of the name servers for each domain that you want to transfer. 5. 6. 7. 8. 9. Open the Amazon Route 53 console at https://console.aws.amazon.com/route53/. In the navigation pane, choose Registered Domains. Choose Transfer Domain. Enter the name of the domain for which you want to transfer registration to Amazon Route 53, and choose Check. If the domain is available for transfer, choose Add to cart. If the domain is not available for transfer, the Amazon Route 53 console lists the reasons. Contact your registrar for information about how to resolve the issues that prevent you from transferring your domain. 10. If you want to transfer other domains, repeat steps 8 and 9. 11. When you've added all of the domains that you want to transfer, choose Continue. 12. For each domain name that you want to transfer, enter the applicable values: Authorization Code Enter the authorization code that you got from your current registrar in step 3 of this procedure. Name Servers Enter the names of the name servers that you got from the DNS service for the domain in step 4 of this procedure. If you're using Amazon Route 53 as your DNS service provider, enter all four of the name servers that Amazon Route 53 assigned to the hosted zone for your domain. 13. On the Contact Details for Your n Domains page, enter contact information for the domain registrant, administrator, and technical contact. The values that you enter here are applied to all of the domains that you're transferring. By default, we use the same information for all three contacts. If you want to enter different information for one or more contacts, change the value of My Registrant, Administrative, and Technical contacts are all the same to No. 14. 15. 16. 17. For more information, see Values that You Specify When You Register a Domain or Edit Domain Settings (p. 16). For some top-level domains (TLDs), we're required to collect additional information. For these TLDs, enter the applicable values after the Postal/Zip Code field. If the value of Contact Type is Person, choose whether you want to hide your contact information from WHOIS queries. For more information, see Privacy Protection for Contact Information (p. 22). Choose Continue. Review the information you entered, read the terms of service, and select the check box to confirm that you've read the terms of service. 18. Choose Complete Purchase. API Version 2013-04-01 29 Amazon Route 53 Developer Guide Viewing the Status of a Domain Transfer We confirm that the domain is eligible for transfer, and we send the registrant for the domain an email to confirm that the registrant requested the transfer. The email comes from one of the following email addresses: TLDs Email address that approval email comes from TLDs registered by Amazon Registrar noreply@registrar.amazon.com .com.au and .net.au domains@tppwholesale.com.au .fr nic@nic.fr, if you're changing the registrant contact for a .fr domain name at the same time that you're transferring the domain. (The email is sent both to the current registrant contact and the new registrant contact.) All others noreply@domainnameverification.net To determine who the registrar is for your TLD, see Domains that You Can Register with Amazon Route 53 (p. 41). 19. If you're the registrant contact for the domain, follow the instructions in the email to confirm that the email was received. If someone else is the registrant contact, ask that person to confirm that the email was received. We wait up to five days for the registrant to confirm the transfer. If the registrant doesn't confirm the transfer within five days, we cancel the transfer operation and send an email to the registrant about the cancellation. If the registrant contact confirms the transfer, we start to work with your current registrar to transfer your domain. This step might take up to seven days, depending on your current registrar. If your current registrar doesn't reply to our transfer request, which is common among registrars, the transfer happens automatically. If your current registrar rejects the transfer request, we send an email notification to the current registrant. The registrant needs to contact the current registrar and resolve the issues with the transfer. When your domain transfer has been approved, we send another email to the registrant contact. For more information about the process, see Viewing the Status of a Domain Transfer (p. 30). We charge your AWS account for the domain transfer as soon as the transfer is complete. This is a one-time charge, so the charge doesn't appear in your CloudWatch billing metrics. For a list of charges by TLD, see Amazon Route 53 Pricing for Domain Registration. Viewing the Status of a Domain Transfer After you initiate the transfer of a domain from another domain registrar to Amazon Route 53, you can track the status on the Registered Domains page of the Amazon Route 53 console. The Status column includes a brief description of the current step. The following list includes the text in the console and a more detailed description of each step. Note When you submit a transfer request, the initial status is Domain transfer request submitted, which indicates that we've received your request. Determining whether the domain meets transfer requirements (step 1 of 14) We're confirming that your domain's status is eligible for transfer. You must unlock your domain, and the domain can't have any of the following status codes when you submit the transfer request: • clientTransferProhibited API Version 2013-04-01 30 Amazon Route 53 Developer Guide Viewing the Status of a Domain Transfer • pendingDelete • pendingTransfer • redemptionPeriod Verifying WHOIS information (step 2 of 14) We sent a WHOIS query for your domain to determine whether you've disabled the privacy protection for the domain. If privacy protection is still enabled with your current registrar, we won't be able to access the information we need to transfer the domain. Sent email to registrant contact to get transfer authorization (step 3 of 14) We've sent an email to the registrant contact for the domain to confirm that the transfer was requested by an authorized contact of the domain. Verifying transfer with current registrar (step 4 of 14) We've sent a request to the current registrar for the domain to initiate the transfer. Awaiting authorization from registrant contact (step 5 of 14) We're waiting for the registrant contact of the domain to authorize the transfer (see step 3). If the registrant contact does not receive the email, confirm that the current registrar for the domain has the correct email address for the registrant contact. Contacted current registrar to request transfer (step 6 of 14) We're working with the current registrar for the domain to finalize the transfer. Waiting for the current registrar to complete the transfer (step 7 of 14) Your current registrar is confirming that your domain meets the requirements for being transferred. Requirements vary among TLDs, but the following requirements are typical: • You must have registered the domain with the current registrar at least 60 days ago. • If the registration for a domain name expired and had to be restored, it must have been restored at least 60 days ago. • You must have transferred registration for the domain to the current registrar at least 60 days ago. • The domain cannot have any of the following domain name status codes: • clientTransferProhibited • pendingDelete • pendingTransfer • redemptionPeriod Confirming with the registrant contact that the contact initiated the transfer (step 8 of 14) Some TLD registries send the registrant contact another email to confirm that the domain transfer was requested by an authorized user. Synchronizing name servers with the registry (step 9 of 14) This step occurs only if the name servers that you provided as part of the transfer request are different from the name servers that are listed with the current registrar. We'll try to update your name servers to the new name servers that you provided. Synchronizing settings with the registry (step 10 of 14) We're verifying that the transfer has completed successfully, and we're synchronizing your domain-related data with our registrar associate. Sending updated contact information to the registry (step 11 of 14) If you changed the ownership of the domain when you requested the transfer, we're trying to make this change. However, most registries don't allow a transfer of ownership as part of the domain transfer process. Finalizing the transfer to Route 53 (step 12 of 14) We're confirming that the transfer process was successful. Finalizing transfer (step 13 of 14) We're setting up your domain in Amazon Route 53. Transfer Complete (step 14 of 14) Your transfer has been successfully completed. API Version 2013-04-01 31 Amazon Route 53 Developer Guide How Transferring a Domain to Amazon Route 53 Affects the Expiration Date How Transferring a Domain to Amazon Route 53 Affects the Expiration Date for Your Domain Registration When you transfer a domain to another registrar, some TLD registries let you keep the same expiration date for your domain, some registries add a year to the expiration date, and some registries change the expiration date to one year after the transfer date. Note For most TLDs, you can extend the registration period for a domain by up to ten years after you transfer it to Amazon Route 53. For more information, see Extending the Registration Period for a Domain (p. 26). Generic TLDs When you transfer a domain that has a generic TLD (for example, .com) to Amazon Route 53, the new expiration date for the domain is the expiration date with your previous registrar plus one year. Geographic TLDs When you transfer a domain that has a geographic TLD (for example, .co.uk) to Amazon Route 53, the new expiration date for the domain depends on the TLD. Find your TLD in the following table to determine how transferring your domain affects the expiration date. Continent Geographic TLDs and the Effect of Transferring a Domain on the Expiration Date Africa .co.za – The expiration date remains the same. Americas .cl, .com.ar, .com.br – The expiration date remains the same. .ca, .co, .mx, .us – One year is added to the old expiration date. Asia/Oceania .co.nz, .com.au, .com.sg, .jp, .net.au, .net.nz, .org.nz, .ru, .sg – The expiration date remains the same. .in – One year is added to the old expiration date. Europe .ch, .co.uk, .de, .es, .fi, .me.uk, .org.uk, .se – The expiration date remains the same. .berlin, .eu, .io, .me, .ruhr, .wien – One year is added to the old expiration date. .be, .fr, .it, .nl – The new expiration date is one year after the date of transfer. Transferring a Domain to a Different AWS Account If you registered a domain using one AWS account and you want to transfer the domain to another AWS account, you can do so simply by contacting the AWS Support Center and requesting the transfer. When you transfer domain registration between AWS accounts, Amazon Route 53 does not transfer the hosted zone for your domain. If domain registration is associated with one account and the corresponding hosted zone is associated with another account, neither domain registration nor DNS functionality is API Version 2013-04-01 32 Amazon Route 53 Developer Guide Transferring a Domain from Amazon Route 53 affected. The only effect is that you'll need to sign into the Amazon Route 53 console using one account to see the domain, and sign in using the other account to see the hosted zone. Important If you want to transfer the hosted zone to another account, you must manually create the new hosted zone, create resource record sets in the new hosted zone, and update your domain with the name servers for the new hosted zone. To transfer registration for a domain from one AWS account to another, perform the following procedure. To transfer a domain to a different AWS account 1. Using the AWS account that the domain is currently registered to, sign in to the AWS Support Center. Important You must sign in by using the root account that the domain is currently registered to. If you sign in by using an IAM user or any other account, we can't perform the transfer. This requirement prevents unauthorized users from transferring domains to other AWS accounts. 2. Specify the following values: Regarding Accept the default value of Account and Billing Support. Service Accept the default value of Billing. Category Accept the default value of Domain name registration issue. Subject Specify Transfer a domain to another AWS account. Description Provide the following information: • Domain that you want to transfer • Account ID of the AWS account that the domain is currently registered to • Account ID of the AWS account that you want to transfer domain registration to Contact method Specify a contact method and, if you choose Phone, enter the applicable values. 3. Choose Submit. Transferring a Domain from Amazon Route 53 to Another Registrar When you transfer a domain from Amazon Route 53 to another registrar, you get some information from Amazon Route 53 and provide it to the new registrar. The new registrar will do the rest. Important If you're currently using Amazon Route 53 as your DNS service provider and you also want to transfer DNS service to another provider, be aware that the following Amazon Route 53 features don't have direct parallels with features provided by other DNS service providers. You'll need to work with the new DNS service provider to determine how to achieve comparable functionality: • Alias resource record sets • Weighted resource record sets • Latency resource record sets API Version 2013-04-01 33 Amazon Route 53 Developer Guide Transferring a Domain from Amazon Route 53 • Failover resource record sets • Geo resource record sets Usually, you can transfer registration of a domain name to another registrar without much trouble. Requirements vary among TLDs, but the following requirements are typical: • You must have registered the domain with the current registrar at least 60 days ago. • If the registration for a domain name expired and had to be restored, it must have been restored at least 60 days ago. • You must have transferred registration for the domain to the current registrar at least 60 days ago. • The domain cannot have any of the following domain name status codes: • pendingDelete • pendingTransfer • redemptionPeriod • clientTransferProhibited For a current list of domain name status codes and an explanation of what each code means, go to the ICANN website and search for epp status codes. (Search on the ICANN website; web searches sometimes return an old version of the document.) To transfer a domain from Amazon Route 53 to another registrar 1. .fi domains only – If you're transferring a .fi domain to another registrar, order an authorization key from the Finnish Communications Regulatory Authority, the registry for .fi domains. You use the authorization key later in this process. For more information, see Ordering of authorization key on the Finnish Communications Regulatory Authority website. Important The Finnish Communications Regulatory Authority mails the authorization key to you, which can take two weeks or more. Do not continue with this procedure until you have the key. 2. 3. 4. 5. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Registered Domains. Choose the name of the domain that you want to transfer to another registrar. On the Your Domains > domain name page, check the value of Domain name status. If it is one of the following values, you can't currently transfer the domain: • pendingDelete • pendingTransfer • redemptionPeriod • clientTransferProhibited For a current list of domain name status codes and an explanation of what each code means, go to the ICANN website and search for epp status codes. (Search on the ICANN website; web searches sometimes return an old version of the document.) 6. 7. If the value of Transfer lock is Enabled, choose Disable. Choose Edit contacts. 8. On the Edit Contact Details for domain name page, for Privacy Protection, select Don't hide contact information for all contacts. 9. In addition, update the contact information so the new registrar can contact you. Choose Save. API Version 2013-04-01 34 Amazon Route 53 Developer Guide Configuring DNSSEC for a Domain 10. All domains except .co.uk, .me.uk, .org.uk, and .fi domains – On the Your Domains > domain name page, at Authorization Code, choose Generate and make note of the authorization code. You'll provide this value to your registrar later in this procedure. .co.uk, .me.uk, and .org.uk domains – Change the IPS tag to the value for the new registrar: a. b. c. Go to the Find a Registrar page on the Nominet website, and find the IPS tag for the new registrar. (Nominet is the registry for .co.uk, .me.uk, and .org.uk domains.) On the Your Domains > domain name page, at IPS Tag, choose Change IPS Tag, and specify the value that you got in step a. Choose Update. .fi domains – Skip this step. 11. If you're not currently using Amazon Route 53 as the DNS service provider for your domain, skip to step 13. If you are currently using Amazon Route 53 as the DNS service provider for the domain, perform the following steps: a. b. c. Choose Hosted Zones. Double-click the name of the hosted zone for your domain. The domain and the hosted zone have the same name. If you want to continue using Amazon Route 53 as the DNS service provider for the domain: Find the NS record for the hosted zone, and make note of the names of the four name servers. These names all begin with ns-. If you do not want to continue using Amazon Route 53 as the DNS service provider for the domain: Make note of the settings for all of your resource record sets except the NS and SOA records. For Amazon Route 53–specific features such as alias resource record sets, you'll need to work with your new DNS service provider to determine how to achieve comparable functionality. 12. If you're transferring DNS service to another provider, use the methods that are provided by the new DNS service to create a hosted zone and resource record sets to reproduce the functionality of your Amazon Route 53 resource record sets. 13. Using the process that is provided by the new registrar, request a transfer of the domain. All domains except .co.uk, .me.uk, .org.uk, and .fi domains – You'll be prompted to enter the authorization code that you got from the Amazon Route 53 console in step 10 of this procedure. If you still want to use Amazon Route 53 as your DNS service provider, specify the names of the Amazon Route 53 name servers that you got in step 11. If you want to use another DNS service provider, specify the names of the name servers that the new provider gave you when you created a new hosted zone in step 12. .fi domains – Go to the Finnish Communications Regulatory Authority website and request a transfer. For more information, see the procedure "Domain name transfer made by domain name holder" on the Transfer of domain name to new holder page. Configuring DNSSEC for a Domain Attackers sometimes hijack traffic to Internet endpoints such as web servers by intercepting DNS requests and returning their own IP addresses to DNS resolvers in place of the actual IP addresses for those endpoints. Users are then routed to the IP addresses provided by the attackers in the spoofed response, for example, to fake websites. API Version 2013-04-01 35 Amazon Route 53 Developer Guide Overview of How DNSSEC Protects Your Domain You can protect your domain from this type of attack, known as DNS spoofing or a man-in-the-middle attack, by configuring Domain Name System Security Extensions (DNSSEC), a protocol for securing DNS traffic. Important Amazon Route 53 supports DNSSEC for domain registration but does not support DNSSEC for DNS service. If you want to configure DNSSEC for a domain that is registered with Amazon Route 53, you must use another DNS service provider. Topics • Overview of How DNSSEC Protects Your Domain (p. 36) • Prerequisites and Limits for Configuring DNSSEC for a Domain (p. 37) • Adding Public Keys for a Domain (p. 37) • Deleting Public Keys for a Domain (p. 38) Overview of How DNSSEC Protects Your Domain When you configure DNSSEC for your domain, a DNS resolver establishes a chain of trust for responses from intermediate resolvers. The chain of trust begins with the TLD registry for the domain (your domain's parent zone) and ends with the authoritative name servers at your DNS service provider. Not all DNS resolvers support DNSSEC; resolvers that don't support DNSSEC don't perform any signature or authenticity validation. Here's how you configure DNSSEC for domains registered with Amazon Route 53 to protect your Internet hosts from DNS spoofing, simplified for clarity: 1. Use the method provided by your DNS service provider to sign the resource record sets in your hosted zone with the private key in an asymmetric key pair. Important Amazon Route 53 supports DNSSEC for domain registration but does not support DNSSEC for DNS service. If you want to configure DNSSEC for a domain that is registered with Amazon Route 53, you must use another DNS service provider. 2. Provide the public key from the key pair to your domain registrar, and specify the algorithm that was used to generate the key pair. The domain registrar forwards the public key and the algorithm to the registry for the top-level domain (TLD). For information about how to perform this step for domains that you registered with Amazon Route 53, see Adding Public Keys for a Domain (p. 37). After you configure DNSSEC, here's how it protects your domain from DNS spoofing: 1. Submit a DNS request, for example, by browsing to a website or by sending an email message. 2. The request is routed to a DNS resolver. Resolvers are responsible for returning the appropriate value to clients based on the request, for example, the IP address for the host that is running a web server or an email server. 3. If the IP address is cached on the DNS resolver (because someone else has already submitted the same DNS request, and the resolver already got the value), the resolver returns the IP address to the client that submitted the request. The client then uses the IP address to access the host. If the IP address isn't cached on the DNS resolver, the resolver sends a request to the parent zone for your domain, at the TLD registry, which returns two values: • The Delegation Signer (DS) record, which is a public key that corresponds with the private key that was used to sign the resource record set. • The IP addresses of the authoritative name servers for your domain. API Version 2013-04-01 36 Amazon Route 53 Developer Guide Prerequisites and Limits for Configuring DNSSEC for a Domain 4. The DNS resolver sends the original request to another DNS resolver. If that resolver doesn't have the IP address, it repeats the process until a resolver sends the request to a name server at your DNS service provider. The name server returns two values: • The resource record set for the domain, such as example.com. Typically this contains the IP address of a host. • The signature for the resource record set, which you created when you configured DNSSEC. 5. The DNS resolver uses the public key that you provided to the domain registrar (and the registrar forwarded to the TLD registry) to do to things: • Establish a chain of trust. • Verify that the signed response from the DNS service provider is legitimate and hasn't been replaced with a bad response from an attacker. 6. If the response is authentic, the resolver returns the value to the client that submitted the request. If the response can't be verified, the resolver returns an error to the user. If the TLD registry for the domain doesn't have the public key for the domain, the resolver responds to the DNS request by using the response that it got from the DNS service provider. Prerequisites and Limits for Configuring DNSSEC for a Domain To configure DNSSEC for a domain, your domain and DNS service provider must meet the following prerequisites: • The registry for the TLD must support DNSSEC.To determine whether the registry for your TLD supports DNSSEC, see Domains that You Can Register with Amazon Route 53 (p. 41). • The DNS service provider for the domain must support DNSSEC. Important Amazon Route 53 supports DNSSEC for domain registration but does not support DNSSEC for DNS service. If you want to configure DNSSEC for a domain that is registered with Amazon Route 53, you must use another DNS service provider. • You must configure DNSSEC with the DNS service provider for your domain before you add public keys for the domain to Amazon Route 53. • The number of public keys that you can add to a domain depends on the TLD for the domain: • .com and .net domains – up to thirteen keys • All other domains – up to four keys Adding Public Keys for a Domain When you're rotating keys or you're enabling DNSSEC for a domain, perform the following procedure after you configure DNSSEC with the DNS service provider for the domain. To add public keys for a domain 1. If you haven't already configured DNSSEC with your DNS service provider, use the method provided by your service provider to configure DNSSEC. 2. 3. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Registered domains. 4. Choose the name of the domain that you want to add keys for. API Version 2013-04-01 37 Amazon Route 53 Developer Guide Deleting Public Keys for a Domain 5. 6. At the DNSSEC status field, choose Manage keys. Specify the following values: Key type Choose whether you want to upload a key-signing key (KSK) or a zone-signing key (ZSK). Algorithm Choose the algorithm that you used to sign the resource record sets for the hosted zone. Public key Specify the public key from the asymmetric key pair that you used to configure DNSSEC with your DNS service provider. 7. Choose Add. Note You can only add one public key at a time. If you need to add more keys, wait until you receive a confirmation email from Amazon Route 53. 8. When Amazon Route 53 receives a response from the registry, we send an email to the registrant contact for the domain. The email either confirms that the public key has been added to the domain at the registry or explains why the key couldn't be added. Deleting Public Keys for a Domain When you're rotating keys or you're disabling DNSSEC for the domain, delete public keys using the following procedure before you disable DNSSEC with your DNS service provider. We recommend that you wait for up to three days to delete public keys after you rotate keys or disable DNSSEC with your DNS service provider. Note the following: • If you're rotating public keys, we recommend that you wait for up to three days after you add the new public keys to delete the old public keys. • If you're disabling DNSSEC, delete public keys for the domain first. We recommend that you wait for up to three days before you disable DNSSEC with the DNS service for the domain. Caution If DNSSEC is enabled for the domain and you disable DNSSEC with the DNS service, DNS resolvers that support DNSSEC will return a SERVFAIL error to clients, and the clients won't be able to access the endpoints that are associated with the domain. To delete public keys for a domain 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Registered domains. 3. 4. Choose the name of the domain that you want to delete keys from. At the DNSSEC status field, choose Manage keys. 5. Find the key that you want to delete, and choose Delete. Note You can only delete one public key at a time. If you need to delete more keys, wait until you receive a confirmation email from Amazon Route 53. 6. When Amazon Route 53 receives a response from the registry, we send an email to the registrant contact for the domain. The email either confirms that the public key has been deleted from the domain at the registry or explains why the key couldn't be deleted. API Version 2013-04-01 38 Amazon Route 53 Developer Guide Getting a Domain Name Unsuspended Getting a Domain Name Unsuspended When you register a domain with Amazon Route 53 or transfer a domain from another registrar to Amazon Route 53, we send you a confirmation email. This email includes instructions about how to verify that we have a valid email address for the registrant contact. The email comes from one of the following email addresses: TLDs Email Address that Approval Email Comes from TLDs registered by Amazon Registrar noreply@registrar.amazon.com .com.au and .net.au domains@tppwholesale.com.au (only if you're transferring the domain to Amazon Route 53) .fr nic@nic.fr (only if you're transferring the domain and you're changing the registrant contact at the same time. The email is sent both to the current registrant contact and the new registrant contact.) All others noreply@domainnameverification.net To determine who the registrar is for your TLD, see Domains that You Can Register with Amazon Route 53 (p. 41). If you don't respond to the email within 15 days—for example, because the email ended up in your junk email folder—ICANN requires us to suspend the domain, meaning that it's no longer available on the Internet. To get the domain unsuspended, perform the following procedure to request another copy of the email, and follow the instructions in the email. To get a domain unsuspended 1. 2. 3. 4. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Registered Domains. Choose the name of the domain that you want to get unsuspended. On the Registered Domains > domain-name page, confirm that the email address for the registrant contact is valid and an address that you're able to receive email at. If you need to correct the email address, choose Edit Contacts and change the value of Email for the registrant contact. 5. On the Registered Domains > domain-name page, choose Send Email Again. Important If the domain was suspended for abuse, the Send Email Again button isn't available. You must open a case with the AWS Support Center. Accept the default values for Regarding, Service, and Category, and enter the applicable information for Subject, Description, and Contact Method. 6. Follow the instructions in the email. Typically, after you respond to the email, the domain is unsuspended in less than 30 minutes, but it can take up to two hours. API Version 2013-04-01 39 Amazon Route 53 Developer Guide Deleting a Domain Name Registration Deleting a Domain Name Registration For most top-level domains (TLDs), you can delete the registration if you no longer want it. Registries for some TLDs don't allow you to delete a domain name registration; instead, you must wait for it to expire. To determine whether you can delete the registration for your domain, see Domains that You Can Register with Amazon Route 53 (p. 41). If the registry allows you to delete the registration, perform the procedure in this topic. If the registry doesn't allow you to delete a domain name registration, disable automatic renewal of domain registration for this domain. When the Expires on date passes, Amazon Route 53 will automatically delete the registration for the domain. For information about how to change the automatic renewal setting, see Editing Contact Information and Other Settings for a Domain (p. 20). Important If you delete a domain name registration before the registration was scheduled to expire, we will not refund the registration fee. To delete a domain name registration 1. 2. 3. 4. 5. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Registered Domains. Choose the name of your domain. Choose Delete Domain. If the registry for your TLD allows deleting a domain name registration, choose Delete Domain. Downloading a Domain Billing Report AWS invoices don't include the domain name for domain registration charges. If you manage multiple domains and you want to view charges by domain for a specified time period, you can download a domain billing report. This report includes all charges that apply to domain registration, including the following: • • • • Registering a domain Renewing registration for a domain Transferring a domain to Amazon Route 53 Changing the owner of a domain (for some TLDs, this operation is free) The billing report, in CSV format, includes the following values: • The AWS invoice ID that the charge appears on. • The operation (REGISTER_DOMAIN, RENEW_DOMAIN, TRANSFER_IN_DOMAIN, or CHANGE_DOMAIN_OWNER). • The name of the domain. • The charge for the operation in US dollars. • The date and time in ISO 8601 format, for example, 2016-03-03T19:20:25.177Z. For more information about ISO 8601 format, see the Wikipedia article ISO 8601. To download a domain billing report 1. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. API Version 2013-04-01 40 Amazon Route 53 Developer Guide Domains that You Can Register with Amazon Route 53 2. 3. In the navigation pane, choose Registered Domains. Choose Domain billing report. 4. 5. Choose the date range for the report, and then choose Download domain report. Follow the prompts to open the report or to save it. Domains that You Can Register with Amazon Route 53 The following lists show the top-level domains (TLDs) for which you can register domains with Amazon Route 53. Topics • Generic Top-Level Domains (p. 41) • Geographic Domains (p. 122) Generic Top-Level Domains Generic top-level domains (gTLDs) are global extensions that are used and recognized around the world, such as .com, .net, and .org. They also include specialty domains such as .bike, .condos, and .marketing. Not all gTLDs support internationalized domain names (IDNs). The following list indicates whether each gTLD supports IDNs. For more information about internationalized domain names, see DNS Domain Name Format (p. 2). A | B | C | D | E | F | G | H | I,J | K | L | M | N | O | P | Q | R | S | T | U | V | W,X,Y,Z A .academy, .accountants, .adult, .agency, .apartments, .associates, .auction, .audio .academy Used by educational institutions such as schools and universities. Also used by recruiters, advisors, advertisers, students, teachers, and administrators who are affiliated with educational institutions. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .accountants Used by businesses, groups, and individuals affiliated with the accounting profession. Registration and renewal period One to ten years. API Version 2013-04-01 41 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .adult Used for websites that host adults-only content. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .agency Used by any businesses or groups that identify as agencies. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .apartments Used by real estate agents, landlords, and renters. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. API Version 2013-04-01 42 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .associates Used by businesses and firms that include the term "associates" in their titles. Also used by any groups or agencies that want to indicate the professional nature of their organizations. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .auction Used for events related to auctions and auction-based buying and selling. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Spanish, and Latin. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .audio Used by the audiovisual industry and anyone interested in broadcasting, sound equipment, audio production, and audio streaming. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 43 Amazon Route 53 Developer Guide Generic Top-Level Domains B .band, .bargains, .bike, .bingo, .biz, .black, .blue, .boutique, .builders, .business, .buzz .band Used for sharing information about musical bands and band events. Also used by musicians to connect with their fan base and sell band-related merchandise. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Spanish, and Latin. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .bargains Used for information about sales and promotions. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .bike Used by businesses or groups that cater to cyclists, such as bike stores, motorcycle dealerships, and repair shops. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 44 Amazon Route 53 Developer Guide Generic Top-Level Domains .bingo Used for online gaming websites or for sharing information about the game of bingo. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .biz Used for business or commercial use. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .black Used by those who like the color black or those who want to associate the color black with their business or brand. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .blue Used by those who like the color blue or those who want to associate the color blue with their business or brand. Registration and renewal period One to ten years. API Version 2013-04-01 45 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .boutique Used for information about boutiques and small specialty shops. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .builders Used by companies and individuals affiliated with the construction industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .business Used by any kind of business. Can be used as an alternative to the .biz extension. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. API Version 2013-04-01 46 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .buzz Used for information about the latest news and events. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. C .cab, .cafe, .camera, .camp, .capital, .cards, .care, .careers, .cash, .casino, .catering, .center, .ceo, .chat, .cheap, .church, .city, .claims, .cleaning, .click, .clinic, .clothing, .cloud, .club, .coach, .codes, .coffee, .college, .com, .community, .company, .computer, .condos, .construction, .consulting, .contractors, .cool, .coupons, .credit, .creditcard, .cruises .cab Used by companies and individuals affiliated with the taxicab industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .cafe Used by cafe businesses and those who have an interest in cafe culture. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 47 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .camera Used by photography enthusiasts and anyone who wants to share photos. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .camp Used by parks and recreation departments, summer camps, writers' workshops, fitness camps, and camping enthusiasts. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .capital Used as a general category that describes any kind of capital, such as financial capital or the capital of a city. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. API Version 2013-04-01 48 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .cards Used by businesses that specialize in cards such as ecards, printed greeting cards, business cards, and playing cards. Also ideal for gamers who want to discuss the rules and strategies of card games. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .care Used by businesses or agencies in the care-giving field. Also used by charitable organizations. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .careers Used for information about job recruitment. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 49 Amazon Route 53 Developer Guide Generic Top-Level Domains .cash Used by any organization, group, or individual engaged in money-related activities. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .casino Used by the gambling industry or by gamers who want to share information about gambling and casino games. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .catering Used by catering businesses or those who share information about food-related events. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .center Used as a generic extension for everything from research organizations to community centers. Registration and renewal period One to ten years. API Version 2013-04-01 50 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .ceo Used for information about CEOs and their equals. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for German. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .chat Used by any kind of online chat website. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .cheap Used by e-commerce websites to promote and sell inexpensive products. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). API Version 2013-04-01 51 Amazon Route 53 Developer Guide Generic Top-Level Domains Registrar The registrar for this TLD is our registrar associate, Gandi. .church Used by churches of any size or denomination to connect with their congregations and to publish information about church-related events and activities. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .city Used to provide information about specific cities, such as points of interest, top local spots to visit, or neighborhood activities. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .claims Used by companies that handle insurance claims or provide legal services. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .cleaning Used by businesses or individuals that provide cleaning services. API Version 2013-04-01 52 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .click Used by businesses that want to associate the action of clicking with their websites, for example, clicking products on a website to purchase them. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .clinic Used by the health care industry and by medical professionals. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .clothing Used by those in the fashion industry, including retailers, department stores, designers, tailors, and outlets. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 53 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .cloud Used as a general extension, but ideal for companies that provide cloud computing technologies and services. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .club Used by any type of club or organization. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Spanish and Japanese. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .coach Used by anyone with an interest in coaching, such as sports professionals, lifestyle coaches, or corporate trainers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 54 Amazon Route 53 Developer Guide Generic Top-Level Domains .codes Used as a generic extension for all kinds of code, such as codes of conduct, building codes, or programming code. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .coffee Used by those in the coffee industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .college Used by educational institutions such as schools and universities. Also used by recruiters, advisors, advertisers, students, teachers, and administrators who are affiliated with educational institutions. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Arabic, simplified and traditional Chinese, Cyrillic, Greek, Hebrew, Japanese, and Thai. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .com Used for commercial websites. It is the most popular extension on the Internet. Registration and renewal period One to ten years. Privacy protection All information is hidden. API Version 2013-04-01 55 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is Amazon Registrar, Inc. .community Used by any type of community, club, organization, or special interest group. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .company Used as a generic extension for companies of all kinds. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .computer Used as a generic extension for information about computers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). API Version 2013-04-01 56 Amazon Route 53 Developer Guide Generic Top-Level Domains Registrar The registrar for this TLD is our registrar associate, Gandi. .condos Used by individuals and businesses associated with condominiums. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .construction Used by those in the construction industry, such as builders and contractors. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .consulting Used by consultants and others who are affiliated with the consulting industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .contractors Used by contractors, such as contractors in the construction industry. Registration and renewal period One to ten years. API Version 2013-04-01 57 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .cool Used by organizations and groups who want to associate their brand with the latest trends. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .coupons Used by retailers and manufacturers that provide online coupons and coupon codes. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .credit Used by the credit industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. API Version 2013-04-01 58 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .creditcard Used by companies or banks that issue credit cards. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .cruises Used by the voyage industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. D .dance, .dating, .deals, .delivery, .democrat, .dental, .diamonds, .diet, .digital, .direct, .directory, .discount, .dog, .domains .dance Used by dancers, dance instructors, and dance schools. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Not supported. API Version 2013-04-01 59 Amazon Route 53 Developer Guide Generic Top-Level Domains Registrar The registrar for this TLD is our registrar associate, Gandi. .dating Used for dating websites. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .deals Used to provide information about online bargains and sales. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .delivery Used by companies that deliver any kind of merchandise or service. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .democrat Used for information about the Democratic Party. Also used by officials running for elected office, elected officials, political enthusiasts, consultants, and advisors. API Version 2013-04-01 60 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .dental Used by dental professionals and dental suppliers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .diamonds Used by diamond enthusiasts and those in the diamond industry, including sellers, resellers, and merchandisers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .diet Used by health and fitness professionals. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. API Version 2013-04-01 61 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .digital Used for anything and everything digital, but ideal for technology businesses. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .direct Used as a general extension, but ideal for those who sell products directly to customers through an e-commerce website. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .directory Used by the media sector. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 62 Amazon Route 53 Developer Guide Generic Top-Level Domains .discount Used for discount websites and businesses that slash prices. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .dog Used by dog lovers and those who provide canine services and products. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .domains Used for information about domain names. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. E .education, .email, .energy, .engineering, .enterprises, .equipment, .estate, .events, .exchange, .expert, .exposed, .express API Version 2013-04-01 63 Amazon Route 53 Developer Guide Generic Top-Level Domains .education Used for information about education. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .email Used for information about promoting email. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .energy Used as a general extension, but ideal for those in the energy or energy conservation fields. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .engineering Used by engineering firms and professionals. Registration and renewal period One to ten years. API Version 2013-04-01 64 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .enterprises Used for information about enterprises and businesses. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .equipment Used for information about equipment, equipment retailers or manufacturers, and rental shops. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .estate Used for information about housing and the housing sector. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. API Version 2013-04-01 65 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .events Used for information about events of all kinds. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .exchange Used for any type of exchange: the stock exchange, the exchange of goods, or even the simple exchange of information. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .expert Used by those who have specialized knowledge in a variety of fields. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 66 Amazon Route 53 Developer Guide Generic Top-Level Domains .exposed Used as a generic extension for a variety of subjects, including photography, tabloids, and investigative journalism. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .express Used as a general extension, but ideal for those who want to emphasize the speedy delivery of good or services. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. F .fail, .farm, .finance, .financial, .fish, .fitness, .flights, .florist, .flowers, .football, .forsale, .foundation, .fund, .furniture, .futbol, .fyi .fail Used by anyone who has made mistakes, but ideal for publishing humorous "fail" blunders and bloopers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. API Version 2013-04-01 67 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .farm Used by those in the farming industry, such as farmers and agricultural engineers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .finance Used by the financial sector. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .financial Used by the financial sector. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 68 Amazon Route 53 Developer Guide Generic Top-Level Domains .fish Used as a general extension, but ideal for websites related to fish and fishing. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .fitness Used to promote fitness and fitness services. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .flights Used by travel agents, airlines, and anyone affiliated with the travel industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .florist Used by florists. Registration and renewal period One to ten years. API Version 2013-04-01 69 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .flowers Used for anything related to flowers, such as online flower sales or information about flower growing and breeding. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .football Used by anyone involved in the sport of football. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .forsale Used for selling goods and services. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. API Version 2013-04-01 70 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .foundation Used by non-profit organizations, charities, and other kinds of foundations. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .fund Used as a general extension for anything related to funding. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .furniture Used by furniture makers and sellers and anyone affiliated with the furniture industry. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .futbol Used for information about soccer (futbol). API Version 2013-04-01 71 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .fyi Used as a general extension, but ideal for sharing information of all kinds. "FYI" is an acronym for "for your information." Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. G .gallery, .gift, .gifts, .glass, .global, .gold, .golf, .graphics, .gratis, .green, .gripe, .guide, .guitars, .guru .gallery Used by owners of art galleries. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .gift Used by businesses or organizations that sell gifts or provide gift-related services. API Version 2013-04-01 72 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .gifts Used by businesses or organizations that sell gifts or provide gift-related services. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .glass Used by those in the glass industry, such as glass cutters and window installers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .global Used by businesses or groups with an international market or vision. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Arabic, Belarusian, Bosnian, Bulgarian, Chinese (Simplified) Chinese (Traditional), Danish, German, Hindi, Hungarian, Icelandic, Korean, Latvian, Lithuanian, Macedonian, Montenegrin, Polish, Russian, Serbian, Spanish, Swedish, and Ukrainian. API Version 2013-04-01 73 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .gold Used as a general extension, but ideal for companies that purchase or sell gold or gold-related products. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .golf Used for websites devoted to the game of golf. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .graphics Used by those in the graphics industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 74 Amazon Route 53 Developer Guide Generic Top-Level Domains .gratis Used for websites that offer free products, such as promotional items, downloads, or coupons. "Gratis" is a Spanish word that means "free." Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .green Used for websites devoted to conservation, ecology, the environment, and the green lifestyle. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .gripe Used for sharing complaints and criticism. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .guide Used as a general extension, but ideal for websites that focus on travel destinations, services, and products. Registration and renewal period One to ten years. API Version 2013-04-01 75 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .guitars Used by guitar enthusiasts. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .guru Used by those who want to share their knowledge about a variety of subjects. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. H .haus, .healthcare, .help, .hiv, .hockey, .holdings, .holiday, .host, .hosting, .house .haus Used by real estate and construction industries. "Haus" is a German word that means "house." Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 76 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .healthcare Used by the heathcare sector. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .help Used as a general extension, but ideal for websites that provide online help and information. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .hiv Used for websites devoted to the fight against HIV. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .hockey Used for websites devoted to the game of hockey. Registration and renewal period One to ten years. API Version 2013-04-01 77 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .holdings Used by financial advisors, stockbrokers, and those who work with investments. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .holiday Used by those in the travel industry and individuals and businesses involved in party planning and special occasions. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .host Used by companies that provide web hosting platforms and services. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 78 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .hosting Used for hosting websites or by those in the hosting industry. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .house Used by real estate agents and buyers and sellers of houses. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. I,J .immo, .immobilien, .industries, .info, .ink, .institute, .insure, .international, .investments, .irish, .jewelry, .juegos .immo Used by the real estate sector. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. API Version 2013-04-01 79 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .immobilien Used for information about real estate. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .industries Used by any business or commercial enterprise that wants to identify as an industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .info Used for the dissemination of information. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .ink Used by tattoo enthusiasts or any industry related to ink, such as printing and publishing industries. API Version 2013-04-01 80 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Arabic and Latin. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .institute Used by any organization or group, especially research and educational organizations. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .insure Used by insurance companies and insurance brokers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .international Used by businesses that have international chains, individuals who travel internationally, or charity organizations with an international influence. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 81 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .investments Used as a general extension, but ideal for promoting investment opportunities. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .irish Used for promoting Irish culture and organizations. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .jewelry Used by jewelry sellers and buyers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .juegos Used for gaming websites of all kinds. "Juegos" is a Spanish word that means "games." API Version 2013-04-01 82 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. K .kaufen, .kim, .kitchen, .kiwi .kaufen Used for information about e-commerce. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .kim Used by people whose name or surname is Kim. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .kitchen Used by kitchen retailers, cooks, food bloggers, and anyone in the food industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address API Version 2013-04-01 83 Amazon Route 53 Developer Guide Generic Top-Level Domains • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .kiwi Used by companies and individuals who want to support New Zealand kiwi culture. It is also used as a platform for charitable aid in the reconstruction of Christchurch, damaged by earthquakes in 2010 and 2011. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Maori. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. L .land, .lease, .legal, .lgbt, .life, .lighting, .limited, .limo, .link, .live, .loan, .loans, .lol .land Used by farmers, real estate agents, commercial developers, and anyone with an interest in property. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .lease Used by realtors, landlords, and renters. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 84 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .legal Used by members of the legal profession. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .lgbt Used by the community of lesbian, gay, bisexual, and transgender people. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .life Used as a general extension, and suitable for a wide range of businesses, groups, and individuals. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .lighting Used by photographers, designers, architects, engineers, and others with an interest in lighting. API Version 2013-04-01 85 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .limited Used as a general extension, and suitable for a wide range of businesses, groups, and individuals. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .limo Used by chauffeurs, limousine companies, and car rental agencies. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .link Used for information about the creation of online shortcut links. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. API Version 2013-04-01 86 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .live Used as a general extension, and suitable for a wide range of businesses, groups, and individuals. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .loan Used by lenders, borrowers, and credit professionals. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Danish, German, Norwegian, and Swedish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .loans Used by lenders, borrowers, and credit professionals. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 87 Amazon Route 53 Developer Guide Generic Top-Level Domains .lol Used for humor and comedy websites. "LOL" is an acronym for "laugh out loud." Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic, French, German, Italian, Portuguese, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. M .maison, .management, .marketing, .mba, .media, .memorial, .mobi, .moda, .money, .mortgage, .movie .maison Used by the real estate sector. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .management Used for information about the business world and company management. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .marketing Used by the marketing sector for a variety of purposes. API Version 2013-04-01 88 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .mba Used for websites that provide information about the master's degree in business administration (MBA). Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .media Used by the media and entertainment sectors. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .memorial Used by commemorative organizations dedicated to honoring events and people. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address API Version 2013-04-01 89 Amazon Route 53 Developer Guide Generic Top-Level Domains • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .mobi Used by companies and individuals who want to have their websites accessible on mobile phones. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .moda Used for information about fashion. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .money Used for websites that focus on money and money-related activities. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .mortgage Used by the mortgage industry. API Version 2013-04-01 90 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .movie Used for websites that provide information about movies and movie-making. Suitable for both professionals and fans. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chines, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. N .name, .net, .network, .news, .ninja .name Used by anyone who wants to create a personalized web presence. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .net Used for all types of websites. The .net extension is an abbreviation of network. API Version 2013-04-01 91 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection All information is hidden. Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is Amazon Registrar, Inc. .network Used by those in the network industry or those who want to build connections through networking. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .news Used for distributing any newsworthy information such as current events or information related to journalism and communication. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .ninja Used by individuals and businesses who want to associate themselves with the abilities of a ninja. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 92 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. O .onl, .online, .org .onl The .onl extension is an abbreviation for "online," and it is also the short term in Spanish for non-profit organization. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Arabic, Belarussian, Bosnian, Bulgarian, Chinese (Simplified and Traditional), Danish, German, Hindi, Hungarian, Icelandic, Korean, Lithuanian, Latvian, Macedonian, Polish, Russian, Serbian, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .online The .onl extension is an abbreviation for "online," and it is also the short term in Spanish for non-profit organization. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .org Used by all kinds of organizations. Registration and renewal period One to ten years. Privacy protection All information is hidden. API Version 2013-04-01 93 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is Amazon Registrar, Inc. P .partners, .parts, .photo, .photography, .photos, .pics, .pictures, .pink, .pizza, .place, .plumbing, .plus, .poker, .porn, .pro, .productions, .properties, .property, .pub .partners Used by law firms, investors, and a variety of companies. Also used for social websites that build relationships. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .parts Used as a general extension, but ideal for parts manufacturers, sellers, and buyers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .photo Used by photographers and anyone interested in photos. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. API Version 2013-04-01 94 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .photography Used by photographers and anyone interested in photos. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .photos Used by photographers and anyone interested in photos. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .pics Used by photographers and anyone interested in photos. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .pictures Used by anyone interested in photography, art, and media. Registration and renewal period One to ten years. API Version 2013-04-01 95 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .pink Used by those who like the color pink or those who want to associate the color pink with their business or brand. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .pizza Used by pizza restaurants and pizza lovers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .place Used as a general extension, but ideal for the home and travel sectors. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. API Version 2013-04-01 96 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .plumbing Used by those in the plumbing industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .plus Used as a general extension, but ideal for plus-size clothing, add-on software, or any product that offers "extra" features or dimensions. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .poker Used by poker players and gaming websites. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .porn Used for adults-only websites. API Version 2013-04-01 97 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .pro Used by licensed and credentialed professionals and professional organizations. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) Not supported. Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .productions Used by studios and production houses that make commercials, radio ads, and music videos. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .properties Used for information about any type of property, including real estate or intellectual property. Also used by those who have houses, buildings, or land to sell, lease, or rent. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 98 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .property Used for information about any type of property, including real estate or intellectual property. Also used by those who have houses, buildings, or land to sell, lease, or rent. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .pub Used by those in the publication, advertising, or brewing business. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. Q .qpon .qpon Used for coupons and promo codes. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Spanish. API Version 2013-04-01 99 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. R .recipes, .red, .reise, .reisen, .rentals, .repair, .report, .republican, .restaurant, .reviews, .rich, .rip, .rocks, .run .recipes Used by those with recipes to share. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .red Used by those who like the color red or those who want to associate the color red with their business or brand. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .reise Used for websites related to travels or journeys. "Reise" is a German word that means "rise," "arise," or "set out on a journey." Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Chinese, French, German, and Spanish. API Version 2013-04-01 100 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .reisen Used for websites related to travels or journeys. "Reisen" is a German word that means "to arise" or "to set out on a journey." Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .rentals Used for all types of rentals. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .repair Used by repair services or by those who want to teach others how to repair all kinds of items. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 101 Amazon Route 53 Developer Guide Generic Top-Level Domains .report Used as a general extension, but ideal for information about business reports, community publications, book reports, or news reporting. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .republican Used for information about the Republican Party. Also used by officials running for elected office, elected officials, political enthusiasts, consultants, and advisors. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .restaurant Used by the restaurant industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .reviews Used by those who want give their opinions and read the comments of others. Registration and renewal period One to ten years. API Version 2013-04-01 102 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .rich Used for information about wealthy people, including celebrities from the worlds of industry, art, fashion, sports, and entertainment. Also used by providers of luxury services and brands. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Arabic, Belarussian, Bosnian, Bulgarian, Chinese (Simplified and Traditional), Danish, German, Hindi, Hungarian, Icelandic, Korean, Lithuanian, Latvian, Macedonian, Polish, Russian, Serbian, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .rip Used for websites dedicated to death and memorials. "RIP" is an acronym for "rest in peace." Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .rocks Used as a general extension, but ideal for anyone who “rocks”: musicians, geologists, jewelers, climbers, and more. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 103 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .run Used as a general extension, but ideal for the fitness and sports industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. S .sale, .sarl, .school, .schule, .services, .sex, .sexy, .shiksha, .shoes, .show, .singles, .soccer, .social, .solar, .solutions, .studio, .style, .sucks, .supplies, .supply, .support, .surgery, .systems .sale Used by e-commerce websites. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .sarl Used by limited liability companies typically located in France. "SARL" is an acronym for Société à Responsabilité Limité. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address API Version 2013-04-01 104 Amazon Route 53 Developer Guide Generic Top-Level Domains • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .school Used for information about education, educational institutions, and school-related activities. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .schule Used for information about German-based education, educational institutions, and school-related activities. "Schule" is a German word that means "school." Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .services Used for websites that focus on services of any kind. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). API Version 2013-04-01 105 Amazon Route 53 Developer Guide Generic Top-Level Domains Registrar The registrar for this TLD is our registrar associate, Gandi. .sex Used for adults-only content. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .sexy Used for sexual content. Also used for describing the most popular and exciting brands, products, information, and websites. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .shiksha Used by educational institutions. "Shiksha" is an Indian term for school. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .shoes Used by shoe retailers, designers, manufacturers, or fashion bloggers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address API Version 2013-04-01 106 Amazon Route 53 Developer Guide Generic Top-Level Domains • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .show Used as a general extension, but ideal for the entertainment industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .singles Used by dating services, resorts, and other businesses that cater to those who want to make a connection. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .soccer Used for websites dedicated to the game of soccer. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. API Version 2013-04-01 107 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .social Used for information about social media, forums, and online conversations. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .solar Used for information about the solar system or solar energy. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .solutions Used by consultants, do-it-yourself services, and advisors of all kinds. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .studio Used as a general extension, but ideal for those in the real estate, art, or entertainment industries. API Version 2013-04-01 108 Amazon Route 53 Developer Guide Generic Top-Level Domains Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .style Used as a general extension, but ideal for websites dedicated to the latest trends, especially trends in fashion, design, architecture, and art. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .sucks Used as a general extension, but ideal for those who want to share negative experiences or warn others about scams, frauds, or faulty products. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .supplies Used by businesses that sell goods online. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 109 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .supply Used by businesses that sell goods online. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .support Used by businesses, groups, or charities that offer any kind of support, including customer, product, or system support or emotional, financial, or spiritual support. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .surgery Used for information about surgery, medicine, and healthcare. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). API Version 2013-04-01 110 Amazon Route 53 Developer Guide Generic Top-Level Domains Registrar The registrar for this TLD is our registrar associate, Gandi. .systems Used primarily by the technology industry and those who offer technology services. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. T .tattoo, .tax, .taxi, .team, .technology, .tennis, .theater, .tienda, .tips, .tires, .today, .tools, .tours, .town, .toys, .trade, .training, .tv .tattoo Used by tattoo enthusiasts and the tattoo industry. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Cyrillic (primarily Russian), French, German, Italian, Portuguese, and Spanish. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .tax Used for information about taxes, tax preparation, and tax law. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 111 Amazon Route 53 Developer Guide Generic Top-Level Domains .taxi Used by cab, chauffeur, and shuttle companies. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .team Used by any business or organization that wants to identify as a team. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .technology Used by technology enthusiasts and those dedicated to technology in companies, services, and manufacturers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .tennis Used for information related to the game of tennis. Registration and renewal period One to ten years. API Version 2013-04-01 112 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .theater Used for websites dedicated to theaters, plays, and musicals. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .tienda Used by retail businesses that want to connect with Spanish-speaking consumers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .tips Used by those who want to share their knowledge and advice on virtually any topic. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. API Version 2013-04-01 113 Amazon Route 53 Developer Guide Generic Top-Level Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .tires Used by manufacturers, distributors, or buyers of tires. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .today Used for information about current events, news, weather, entertainment, and more. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .tools Used for information about any kind of tool. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 114 Amazon Route 53 Developer Guide Generic Top-Level Domains .tours Used as a general extension, but ideal for travel companies. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Chinese, French, German, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .town Used to promote a city's locale, culture, and community. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .toys Used by the toy industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .trade Used as a general extension, but ideal for commerce websites or trading services. Registration and renewal period One to ten years. API Version 2013-04-01 115 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Danish, German, Norwegian, and Swedish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .training Used by trainers, coaches, and educators. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .tv Used for information about television and media. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. U .university, .uno .university Used by universities and other educational organizations. Registration and renewal period One to ten years. API Version 2013-04-01 116 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .uno Used for information about the Hispanic, Portuguese, and Italian communities. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. V .vacations, .vegas, .ventures, .viajes, .video, .villas, .vision, .voyage .vacations Used by the travel and tourism industry. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .vegas Used to promote the city of Las Vegas and the Las Vegas lifestyle. Registration and renewal period One to ten years. API Version 2013-04-01 117 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .ventures Used by entrepreneurs, startups, venture capitalists, investment banks, and financiers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .viajes Used by travel agencies, tour operators, travel blogs, tour companies, rental services, travel bloggers, and travel retailers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .video Used by media and video industries. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name API Version 2013-04-01 118 Amazon Route 53 Developer Guide Generic Top-Level Domains Internationalized domain names Supported for Chinese, French, German, Latin, and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .villas Used by real estate agents and property owners who have villas to sell, rent, or lease. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .vision Used as a general extension, but ideal for vision specialists such as optometrists and ophthalmologists. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .voyage Used by travel agencies, tour operators, travel blogs, tour companies, rental services, travel bloggers, and travel retailers. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 119 Amazon Route 53 Developer Guide Generic Top-Level Domains W,X,Y,Z .watch, .website, .wiki, .works, .world, .wtf, .xyz, .zone .watch Used for information about streaming websites, web TVs, video, or watches. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .website Used for information about website development, promotion, improvements, and experiences. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .wiki Used for information about online documentation. Registration and renewal period One to ten years. Privacy protection Not supported. Internationalized domain names Supported for Arabic and Latin. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .works Used by businesses, organizations, and individuals for information about work, job, and employment services. This extension can be used as an alternative to the .com, .net, or .org extensions. Registration and renewal period One to ten years. API Version 2013-04-01 120 Amazon Route 53 Developer Guide Generic Top-Level Domains Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .world Used by anyone who wants to provide information about global subjects. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .wtf Used by anyone who wants to identify with the popular (but profane) acronym "WTF." Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .xyz Used as a general extension for any purpose. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported. API Version 2013-04-01 121 Amazon Route 53 Developer Guide Geographic Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .zone Used for information about any kind of zone, including time zones, climate zones, and sports zones. Registration and renewal period One to ten years. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported for French and Spanish. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. Geographic Domains The following domain extensions are grouped by geography and include official country-specific extensions known as country code top-level domains (ccTLDs). Examples include .be (Belgium), .in (India), and .mx (Mexico). The rules for registration of ccTLDs vary by country. Some countries are unrestricted, meaning that anyone in the world can register, while others have certain restrictions, such as residency. Not all ccTLDs support internationalized domain names (IDNs). The following list indicates whether each ccTLD supports IDNs. For more information about internationalized domain names, see DNS Domain Name Format (p. 2). Geographic Regions • Africa (p. 122) • Americas (p. 123) • Asia/Oceania (p. 126) • Europe (p. 131) Africa .co.za .co.za (South Africa) Registration and renewal period One year. Restrictions Only second-level domains are available for the .za extension. Amazon Route 53 supports the second-level domain .co.za. Open to the public, with some restrictions: • Registration is open to identifiable legal entities (individuals and legal persons). API Version 2013-04-01 122 Amazon Route 53 Developer Guide Geographic Domains • The domain name must pass a zone check during the registration process. Privacy protection Determined by the registry Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. Americas .ca, .cl, .co, .com.ar, .com.br, .mx, .us .ca (Canada) Confirmation email from the TLD registry When you register a .ca domain, you will receive an email with a link to the acceptation procedure of the registrant agreement.You must complete the procedure within seven days or your domain will not be registered. Registration and renewal period One to ten years. Restrictions Open to the public, with some restrictions: • Registration is open to individuals or organizations connected to Canada, as described by the Canadian Presence Requirements for Registrants. • Registrant contact:You must provide the full and exact legal name of the owner of the domain. • Admin and tech contacts: You must specify Person as the contact type and provide contact information for individuals living in Canada. • You must select one of the following legal types during the registration process: • CCO represents a corporation. • CCT represents a Canadian citizen. • RES represents a Canadian resident. • GOV represents a government entity. • EDU represents an educational entity. • ASS represents an unincorporated association. • HOP represents a hospital. • PRT represents a partnership. • TDM represents a trademark. • TRD represents a trade union. • PLT represents a political party. • LAM represents libraries, archives, and museums. • TRS represents a trust. • ABO represents Aboriginal Peoples. • INB represents Indian Band. • LGR represents legal representative. • OMK represents an official mark (protected by the Trademarks Act). • MAJ represents Her Majesty the Queen. API Version 2013-04-01 123 Amazon Route 53 Developer Guide Geographic Domains Privacy protection • Person – For all contacts, contact name, address, phone number, fax number, and email address are hidden. • Company, association, or public body – Not supported. Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .ca domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). .cl (Chile) Registration and renewal period Two years. Restrictions Open to the public, with some restrictions: • The .cl extension is open to individuals who are present or a resident of Chile and to companies that are duly authorized to perform business in Chile. • A local administrative contract is required for persons who do not reside in Chile. Privacy protection Determined by the registry Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .co (Colombia) Registration and renewal period One to five years. Restrictions Open to the public, with no restrictions. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .com.ar (Argentina) Registration and renewal period One year. API Version 2013-04-01 124 Amazon Route 53 Developer Guide Geographic Domains Restrictions Only second-level domains are available. Amazon Route 53 supports the second-level domain .com.ar. Open to the public, with some restrictions: • A local presence is required. • During the registration process, you must provide your ID number. For individuals, this might be your passport number, national ID, or driver's license number. Companies and organizations can provide their tax ID or VAT number. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .com.br (Brazil) Registration and renewal period One year. Restrictions Only second-level domains are available. Amazon Route 53 supports the second-level domain .com.br. Open to the public, with some restrictions: • The .com.br is open to individuals and companies that are legally located or established in Brazil. Privacy protection Determined by the registry Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .mx (Mexico) Registration and renewal period One to five years. Restrictions Open to the public, with no restrictions. Privacy protection Determined by the registry Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .us (United States) Registration and renewal period One to ten years. API Version 2013-04-01 125 Amazon Route 53 Developer Guide Geographic Domains Restrictions The registry for .us domains doesn't allow domain names that contain any of the seven words identified in the "Appendix to Opinion of the Court" of Federal Communications Commission v. Pacifica Foundation No. 77-528. Open to the public, with one restriction: • The .us extension is for websites or activities that are located in the United States of America. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. Asia/Oceania .co.nz, .com.au, .com.sg, .in, .jp, .io, .net.au, .net.nz, .org.nz, .ru, .sg .co.nz (New Zealand) Registration and renewal period One to ten years. Restrictions Your can register the following second-level domains with Amazon Route 53: .co.nz, .net.nz, and .org.nz. You can't register .nz (first-level) domains with Amazon Route 53 or transfer .nz domains to Amazon Route 53. Open to the public, with some restrictions: • Individuals must be at least 18. • Organizations must be registered. Privacy protection Not supported. Internationalized domain names Supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .com.au (Australia) Confirmation email from the TLD registry Our registrar partner, Gandi, resells .com.au domains through the Australian company TPP Wholesale. When you transfer a domain name to Amazon Route 53, tppwholesale.com.au sends an email to the registrant contact for the domain to verify contact information or to authorize transfer requests. Registration and renewal period Two years. Restrictions Only second-level domains are available. Amazon Route 53 supports the second-level domains .com.au and net.au. Open to the public, with some restrictions: API Version 2013-04-01 126 Amazon Route 53 Developer Guide Geographic Domains • The .com.au and .net.au domains are open to legal persons, partnerships, or sole traders registered in Australia; to foreign companies licensed to trade in Australia; and to owners or applicants of an Australian-registered trademark. • Your domain name must be identical to your name (as registered with the relevant Australian authorities) or to your trademark (or to the abbreviation or acronym for your trademark). • The domain name should indicate your activity. For example, it should indicate a product that you sell or a service that you provide. • During the registration process, you must provide the following information: • Your registration type: ABN (Australian Business Number), ACN (Australian Company Number), RBN (Registered Business Number), or TM (Trademark) if the domain name corresponds to your trademark. • Your ID number, which can be a Medicare card number, a tax file number (TFN), a state driver's license number, or an Australian Business Number (ABN). • Your state or province. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .com.au domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). .com.sg (Republic of Singapore) Registration and renewal period One year. Restrictions Amazon Route 53 supports the .sg extension plus a second-level domain, .com.sg. Open to the public, with one restriction: • A Singapore presence is required. You must provide the national identification number of the registrant. In Singapore, a National Registration Identity Card (NRIC) is issued to Singapore citizens and permanent residents. Deletion of domain registration The registry for .com.sg domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). Privacy protection Determined by the registry Internationalized domain names Supported for two to 18 Chinese characters. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .in (India) Registration and renewal period One to ten years. API Version 2013-04-01 127 Amazon Route 53 Developer Guide Geographic Domains Restrictions Open to the public, with no restrictions. Privacy protection Not supported. Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .jp (Japan) Domain transfer To transfer a .jp domain to Amazon Route 53, use the method provided by your current domain registrar to update the value of the AGNT code for the domain to AGNT-1744, all uppercase. Registration and renewal period One year. Restrictions Open to the public, with one restriction: • Only individuals or companies in Japan can register a .jp domain name. Privacy protection Determined by the registry Internationalized domain names Supported for Japanese. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .io (British Indian Ocean Territory) Registration and renewal period One year. Restrictions Open to the public, with no restrictions. Privacy protection Determined by the registry Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .io domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). .net.au (Australia) Confirmation email from the TLD registry Our registrar partner, Gandi, resells .net.au domains through the Australian company TPP Wholesale. When you transfer a domain name to Amazon Route 53, tppwholesale.com.au sends an email to the registrant contact for the domain to verify contact information or to authorize transfer requests. API Version 2013-04-01 128 Amazon Route 53 Developer Guide Geographic Domains Registration and renewal period Two years. Restrictions Only second-level domains are available. Amazon Route 53 supports the second-level domains .com.au and net.au. Open to the public, with some restrictions: • The .com.au and .net.au domains are open to legal persons, trading, partnerships, or sole traders registered in Australia; to foreign companies licensed to trade in Australia; and to owners or applicants of an Australian-registered trademark. • Your domain name must be identical to your name, as registered with the relevant Australian authorities or to your trademark (or to the abbreviation or acronym). • The domain name should indicate your activity. For example, it should indicate a product that you sell or a service that you provide. • During the registration process, you must indicate the following: • Your registration type: ABN (Australian Business Number), ACN (Australian Company Number), RBN (Business Registration Number), or TM (Trademark) if the domain name corresponds to your trademark. • Your ID number, which can be a Medicare card number, a tax file number (TFN), a state driver's license number, or an Australian Business Number (ABN). • Your state or province. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .net.au domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). .net.nz (New Zealand) Registration and renewal period One to ten years. Restrictions Your can register the following second-level domains with Amazon Route 53: .co.nz, .net.nz, and .org.nz. You can't register .nz (first-level) domains with Amazon Route 53 or transfer .nz domains to Amazon Route 53. Open to the public, with some restrictions: • Individuals must be at least 18. • Organizations must be registered. Privacy protection Not supported. Internationalized domain names Supported. DNSSEC Not supported. API Version 2013-04-01 129 Amazon Route 53 Developer Guide Geographic Domains Registrar The registrar for this TLD is our registrar associate, Gandi. .org.nz (New Zealand) Registration and renewal period One to ten years. Restrictions Your can register the following second-level domains with Amazon Route 53: .co.nz, .net.nz, and .org.nz. You can't register .nz (first-level) domains with Amazon Route 53 or transfer .nz domains to Amazon Route 53. Open to the public, with some restrictions: • Individuals must be at least 18. • Organizations must be registered. Privacy protection Not supported. Internationalized domain names Supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .ru (Russian Federation) Domain transfer If you're transferring a .ru domain to Amazon Route 53, you don't need to specify an authorization code. Instead, use the method provided by RU-Center, the registry for .ru domains, to update the Partner Handle for the domain to 5427/NIC-REG. For more information, see the Registrar's or Registrant's Transfer page on the RU-Center website. Registration and renewal period One year. Restrictions Open to the public, with some restrictions: • Individuals might need to provide a passport number or government-issued ID number. • Foreign companies might need to provide a company ID or company registration. Privacy protection Determined by the registry Internationalized domain names Not supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .ru domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). .sg (Republic of Singapore) Registration and renewal period One year. Restrictions Amazon Route 53 supports the .sg extension plus a second-level domain, .com.sg. These domains are open to the public, with some restrictions: • The administrative contact must have a valid postal address in Singapore. API Version 2013-04-01 130 Amazon Route 53 Developer Guide Geographic Domains Privacy protection Determined by the registry Internationalized domain names Supported for two to 18 Chinese characters. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .sg domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). Europe .be, .berlin, .ch, .co.uk, .de, .es, .eu, .fi, .fr, .it, .me, .me.uk, .nl, .org.uk, .ruhr, .se, .uk, .wien .be (Belgium) Registration and renewal period One year. Restrictions Open to the public, with no restrictions. Privacy protection Determined by the registry Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .berlin (city of Berlin in Germany) Registration and renewal period One to ten years. Restrictions Open to the public, with some restrictions: • The owner, administrative, or technical contact must provide an address in Berlin, and the administrative contact must be an individual. • You must activate and use your .berlin domain within 12 months following its registration (applies to a website, redirection, or email address). • If you publish a website under your .berlin domain, or if your .berlin domain redirects to another website, the content of the website must be related to Berlin. Privacy protection Not supported. Internationalized domain names Supported for Latin and Cyrillic. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 131 Amazon Route 53 Developer Guide Geographic Domains .ch (Switzerland) Registration and renewal period One year. Restrictions Open to the public, with no restrictions. Privacy protection Determined by the registry Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .co.uk (United Kingdom) Domain transfer To transfer a .co.uk domain to Amazon Route 53, use the method provided by your current domain registrar to update the value of the Internet Provider Security (IPS) tag for the domain to GANDI, all uppercase. (An IPS tag, also known as a registrar tag, is required by Nominet, the registry for .co.uk domain names.) When you register a .co.uk domain, Amazon Route 53 automatically sets the IPS tag for the domain to GANDI. Registration and renewal period One to ten years. Restrictions Open to the public, with no restrictions. Registration priority If you registered a .co.uk domain before June 10, 2014 or a .me.uk or .org.uk domain before October 29, 2013, you have priority for registering the corresponding .uk domain for five years. Note You cannot register a .uk domain (such as example.uk) for which someone else has already registered a .co.uk, .me.uk, or .org.uk domain (such as example.co.uk) until the priority period has expired. If different registrants have registered the same name with .co.uk, .me.uk, and .org.uk TLDs (such as example.co.uk, example.me.uk, and example.org.uk), priority for registering the .uk domain name is in the following order: • The registrant of the .co.uk domain • The registrant of the .org.uk domain • The registrant of the .me.uk domain If you want the .uk domain for a .co.uk, .me.uk, or .org.uk that you already own, use the Amazon Route 53 console or API, the AWS CLI, or the SDKs to register the .uk domain as you would any other domain. If someone else has a higher priority on an existing .co.uk, .me.uk, or .org.uk domain, we'll notify you by email. The email will contain the following text: ErrorState at registrar: 2201 : Authorization error (V334 Your request for domain 'domain name' has failed because the 'account name' for the registrant does not fully match any registrant which has rights for this domain) Privacy protection Determined by the registry Internationalized domain names Not supported. API Version 2013-04-01 132 Amazon Route 53 Developer Guide Geographic Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .co.uk domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). .de (Germany) Registration and renewal period One year. Restrictions Open to the public, with some restrictions: • You must reside in Germany or have an administrative contact (physical person) who resides in Germany and has an address other than a P.O. box. • During registration, the DNS (A, MX, and CNAME) of the domain name must be correctly configured so that it can pass the registry's zone check. Three servers of two different C classes are required. Privacy protection Determined by the registry Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .es (Spain) Domain purchase or transfer Important You currently can purchase new .es domain names or transfer .es domains to Amazon Route 53 if the contact type for the registrant contact is Person. You can't purchase or transfer .es domains if the contact type for the registrant contact is Company, Association, or Public Body. Registration and renewal period One to five years. Restrictions Open to the public, for those who have an interest in or connection with Spain. Privacy protection Determined by the registry Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .eu (European Union) Registration and renewal period One to ten years. API Version 2013-04-01 133 Amazon Route 53 Developer Guide Geographic Domains Restrictions Open to the public, with one restriction: • You must provide a valid postal address in one of the 27 member-states of the European Union. A local presence is required. Privacy protection Determined by the registry Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .fi (Finland) Registration and renewal period One year. Restrictions Open to the public, with some restrictions: • The .fi extension is available to individuals who have a domicile in Finland and have a Finnish identity number, and legal persons or private entrepreneurs registered in Finland. • You must provide the following information during registration: • Whether or not the contact is based on a physical or moral person in Finland. • The identifier of the register where the name is recorded, if based on a moral person's name. • The number of the record in the register where the name is recorded, if based on a moral person's name. • The identification number for a moral person in Finland. • The identification number for a physical person in Finland. Privacy protection Determined by the registry Internationalized domain names Supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .fi domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). .fr (France) Registration and renewal period One year. Restrictions Open to the public, with some restrictions: • Individuals must be at least 18 and must provide their date-of-birth. • Organizations must be located in the European Economic Area or in Switzerland. • Organizations should fill out all company identification fields (VAT number, SIREN, WALDEC, DUNS, and so on), as this will facilitate any verification that AFNIC might perform at a later date. • The same eligibility conditions apply to the administrative contact. API Version 2013-04-01 134 Amazon Route 53 Developer Guide Geographic Domains • Names and terms are subject to an AFNIC prior review (Naming Charter Article 2.4) and to the following additional conditions: • Domain names previously reserved or prohibited are open to applicants that justify a legitimate right and act in good faith. • Names beginning with ville, mairie, agglo, cc, cg, and cr are subject to AFNIC naming conventions. Privacy protection Determined by the registry Internationalized domain names Supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .it (Italy) Registration and renewal period One year. Restrictions Open to the public, with some restrictions: • Individuals or organizations must have a registered address in the European Union. • If your country of origin is Italy, you must enter a fiscal code. If your country of origin is within the European Union, you must enter an identity document number (ID number). • If you specify Company, Association, or Public body for the contact type, a VAT number (a value-added tax identification number) is required. • Name servers for your domain must pass a DNS check. If your domain name does not comply with the technical requirements, and you do not correct it within 30 days, your domain name will be deleted by the registry. We don't issue refunds for domains that are deleted because they don't meet technical requirements. Privacy protection Determined by the registry Internationalized domain names Supported. DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .me (Montenegro) Registration and renewal period One to ten years. Restrictions Open to the public, with no restrictions. Privacy protection (applies to all contact types: person, company, association, and public body) • Hidden – address, phone number, fax number, and email address • Not hidden – contact name and organization name Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). API Version 2013-04-01 135 Amazon Route 53 Developer Guide Geographic Domains Registrar The registrar for this TLD is our registrar associate, Gandi. .me.uk (United Kingdom) Domain transfer To transfer a .me.uk domain to Amazon Route 53, use the method provided by your current domain registrar to update the value of the Internet Provider Security (IPS) tag for the domain to GANDI, all uppercase. (An IPS tag, also known as a registrar tag, is required by Nominet, the registry for .me.uk domain names.) When you register a .me.uk domain, Amazon Route 53 automatically sets the IPS tag for the domain to GANDI. Registration and renewal period One to ten years. Restrictions Open to the public, with no restrictions. Registration priority If you registered a .co.uk domain before June 10, 2014 or a .me.uk or .org.uk domain before October 29, 2013, you have priority for registering the corresponding .uk domain for five years. Note You cannot register a .uk domain (such as example.uk) for which someone else has already registered a .co.uk, .me.uk, or .org.uk domain (such as example.co.uk) until the priority period has expired. If different registrants have registered the same name with .co.uk, .me.uk, and .org.uk TLDs (such as example.co.uk, example.me.uk, and example.org.uk), priority for registering the .uk domain name is in the following order: • The registrant of the .co.uk domain • The registrant of the .org.uk domain • The registrant of the .me.uk domain If you want the .uk domain for a .co.uk, .me.uk, or .org.uk that you already own, use the Amazon Route 53 console or API, the AWS CLI, or the SDKs to register the .uk domain as you would any other domain. If someone else has a higher priority on an existing .co.uk, .me.uk, or .org.uk domain, we'll notify you by email. The email will contain the following text: ErrorState at registrar: 2201 : Authorization error (V334 Your request for domain 'domain name' has failed because the 'account name' for the registrant does not fully match any registrant which has rights for this domain) Privacy protection Determined by the registry Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .me.uk domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). .nl (the Netherlands) Registration and renewal period One year. API Version 2013-04-01 136 Amazon Route 53 Developer Guide Geographic Domains Restrictions Open to the public, with some restrictions: • The owner or the administrative contact must provide a valid address in the Netherlands. A local presence is required. • If you do not have a valid address in the Netherlands, the Registry SIDN will provide you with a domicile address, as per the Domicile Address Procedure. Privacy protection Determined by the registry Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .org.uk (United Kingdom) Domain transfer To transfer a .org.uk domain to Amazon Route 53, use the method provided by your current domain registrar to update the value of the Internet Provider Security (IPS) tag for the domain to GANDI, all uppercase. (An IPS tag, also known as a registrar tag, is required by Nominet, the registry for .org.uk domain names.) When you register a .org.uk domain, Amazon Route 53 automatically sets the IPS tag for the domain to GANDI. Registration and renewal period One to ten years. Restrictions Open to the public, with no restrictions. Registration priority If you registered a .co.uk domain before June 10, 2014 or a .me.uk or .org.uk domain before October 29, 2013, you have priority for registering the corresponding .uk domain for five years. Note You cannot register a .uk domain (such as example.uk) for which someone else has already registered a .co.uk, .me.uk, or .org.uk domain (such as example.co.uk) until the priority period has expired. If different registrants have registered the same name with .co.uk, .me.uk, and .org.uk TLDs (such as example.co.uk, example.me.uk, and example.org.uk), priority for registering the .uk domain name is in the following order: • The registrant of the .co.uk domain • The registrant of the .org.uk domain • The registrant of the .me.uk domain If you want the .uk domain for a .co.uk, .me.uk, or .org.uk that you already own, use the Amazon Route 53 console or API, the AWS CLI, or the SDKs to register the .uk domain as you would any other domain. If someone else has a higher priority on an existing .co.uk, .me.uk, or .org.uk domain, we'll notify you by email. The email will contain the following text: ErrorState at registrar: 2201 : Authorization error (V334 Your request for domain 'domain name' has failed because the 'account name' for the registrant does not fully match any registrant which has rights for this domain) Privacy protection Determined by the registry Internationalized domain names Not supported. API Version 2013-04-01 137 Amazon Route 53 Developer Guide Geographic Domains DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .org.uk domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). .ruhr (Ruhr region, western part of Germany) The .ruhr extension is for the Ruhr region (western part of Germany). Registration and renewal period One to ten years. Restrictions Open to the public, with one restriction: • The administrative contact must be an individual who has an address in Germany. Privacy protection Not supported. Internationalized domain names Supported (ä, ö, ü, ß). DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. .se (Sweden) Registration and renewal period One to ten years. Restrictions Open to the public, with some restrictions: • If you are located in Sweden, you must provide a valid Swedish ID number. • If you are located outside of Sweden, you must enter a valid ID number such as a tax ID number. Privacy protection Determined by the registry Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. .uk (United Kingdom) Domain transfer To transfer a .uk domain to Amazon Route 53, use the method provided by your current domain registrar to update the value of the Internet Provider Security (IPS) tag for the domain to GANDI, all uppercase. (An IPS tag, also known as a registrar tag, is required by Nominet, the registry for .uk domain names.) When you register a .uk domain, Amazon Route 53 automatically sets the IPS tag for the domain to GANDI. Registration and renewal period One to ten years. API Version 2013-04-01 138 Amazon Route 53 Developer Guide Geographic Domains Restrictions Open to the public, with no restrictions. Registration priority If you registered a .co.uk domain before June 10, 2014 or a .me.uk or .org.uk domain before October 29, 2013, you have priority for registering the corresponding .uk domain for five years. Note You cannot register a .uk domain (such as example.uk) for which someone else has already registered a .co.uk, .me.uk, or .org.uk domain (such as example.co.uk) until the priority period has expired. If different registrants have registered the same name with .co.uk, .me.uk, and .org.uk TLDs (such as example.co.uk, example.me.uk, and example.org.uk), priority for registering the .uk domain name is in the following order: • The registrant of the .co.uk domain • The registrant of the .org.uk domain • The registrant of the .me.uk domain If you want the .uk domain for a .co.uk, .me.uk, or .org.uk that you already own, use the Amazon Route 53 console or API, the AWS CLI, or the SDKs to register the .uk domain as you would any other domain. If someone else has a higher priority on an existing .co.uk, .me.uk, or .org.uk domain, we'll notify you by email. The email will contain the following text: ErrorState at registrar: 2201 : Authorization error (V334 Your request for domain 'domain name' has failed because the 'account name' for the registrant does not fully match any registrant which has rights for this domain) Privacy protection Determined by the registry Internationalized domain names Not supported. DNSSEC Supported for domain registration. For more information, see Configuring DNSSEC for a Domain (p. 35). Registrar The registrar for this TLD is our registrar associate, Gandi. Deletion of domain registration The registry for .uk domains doesn't allow you to delete domain registrations. Instead, you must disable automatic renewal and wait for the domain to expire. For more information, see Deleting a Domain Name Registration (p. 40). .wien (city of Vienna in Austria) Registration and renewal period One to ten years. Restrictions Open to the public, with some restrictions: • You must show an economic, cultural, tourist, historical, social, or other affinity with the city of Vienna in Austria. • The .wien domain names must be used in connection with the above conditions, throughout the term of registration. Privacy protection Not supported. Internationalized domain names Supported for Latin. API Version 2013-04-01 139 Amazon Route 53 Developer Guide Geographic Domains DNSSEC Not supported. Registrar The registrar for this TLD is our registrar associate, Gandi. API Version 2013-04-01 140 Amazon Route 53 Developer Guide Migrating DNS Service for an Existing Domain to Amazon Route 53 Configuring Amazon Route 53 as Your DNS Service You can use Amazon Route 53 as the DNS service for any registered domain name. When you register a domain with Amazon Route 53, Amazon Route 53 is automatically configured as the DNS service for the domain. You can also migrate DNS service for existing domains or subdomains to Amazon Route 53. For more information, see the applicable topic: Topics • Migrating DNS Service for an Existing Domain to Amazon Route 53 (p. 141) • Creating a Subdomain That Uses Amazon Route 53 as the DNS Service without Migrating the Parent Domain (p. 145) • Migrating DNS Service for a Subdomain to Amazon Route 53 without Migrating the Parent Domain (p. 147) Migrating DNS Service for an Existing Domain to Amazon Route 53 You can migrate an existing domain from another DNS service to Amazon Route 53 as the DNS service. This process has six basic steps: 1. Create a Amazon Route 53 hosted zone (p. 142) for your domain. 2. Get the current DNS configuration from your current DNS service provider (p. 142). 3. Add resource record sets (p. 143) to your Amazon Route 53 hosted zone. 4. API only: Confirm that your changes have propagated (p. 143) to all Amazon Route 53 DNS servers. Note Currently, the only way to verify that changes have propagated is to use the GetChange API action. Changes generally propagate to all Amazon Route 53 name servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. 5. Update your registrar's name server records (p. 143). 6. Wait for your changes to take effect (p. 144). API Version 2013-04-01 141 Amazon Route 53 Developer Guide Creating a Hosted Zone Important You can create a hosted zone only for a domain that you have permission to administer. Typically, this means that you own the domain, but you may also be developing an application for the domain registrant. Creating a Hosted Zone To migrate a domain from your existing DNS service, start by creating an Amazon Route 53 hosted zone. Amazon Route 53 stores information about your domain in the hosted zone. Note When you create a hosted zone, Amazon Route 53 automatically creates four name server (NS) records and a start of authority (SOA) record for the zone. The NS records identify the name servers that you give to your registrar or your DNS service so that queries are routed to Amazon Route 53 name servers. For more information about NS and SOA records, see NS and SOA Resource Record Sets that Amazon Route 53 Creates for a Public Hosted Zone (p. 169). To create a hosted zone using the Amazon Route 53 console, perform the following procedure. To create a hosted zone using the Amazon Route 53 API, use the CreateHostedZone action. For more information, see POST CreateHostedZone in the Amazon Route 53 API Reference. To create a hosted zone using the Amazon Route 53 console 1. 2. 3. 4. 5. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. If you're new to Amazon Route 53, choose Get Started Now under DNS Management. If you're already using Amazon Route 53, choose Hosted Zones in the navigation pane. Choose Create Hosted Zone. In the Create Hosted Zone pane, enter a domain name and, optionally, a comment. For more information about a setting, pause the mouse pointer over its label to see a tool tip. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Choose Create. Getting Your Current DNS Configuration from Your DNS Service Provider To simplify the process of migrating an existing domain to Amazon Route 53, get the current DNS configuration for the domain from the DNS service provider that is currently servicing the domain. You can use this information as a basis for configuring Amazon Route 53 as your DNS service. What you ask for and the format that it comes in depends on which company you're currently using as your DNS service provider. Ideally, they'll give you a zone file, which contains information about all of the resource record sets in your current configuration. (Resource record sets tell DNS how you want traffic to be routed for your domains and subdomains. For example, when someone enters your domain name in a web browser, do you want traffic to be routed to a web server in your data center, to an Amazon EC2 instance, to a CloudFront distribution, or to some other location?) If you can get a zone file from your current DNS service provider, you can import your existing DNS configuration into your Amazon Route 53 hosted zone, which greatly simplifies the process of creating resource record sets. Try asking customer support for your current DNS service provider how to get a zone file or a records list. Records that you are likely to migrate include: API Version 2013-04-01 142 Amazon Route 53 Developer Guide Creating Resource Record Sets • A (Address) records, which associate a domain name (example.com) with the IP address of the home page for the domain (192.0.2.3) • Mail server (MX) records • CNAME records, which reroute queries for one domain name (www.example.com) to another domain name (example.com) • Other A records, CNAME records, or other supported DNS record types. For a list of supported record types, see Supported DNS Resource Record Types (p. 4). Creating Resource Record Sets Using the resource record sets that you got from your current DNS service provider as a starting point, create corresponding resource record sets in the Amazon Route 53 hosted zone. The resource record sets that you create in Amazon Route 53 will become the resource record sets that DNS uses after you update your current DNS service's name server records, as explained in Updating Your Registrar's Name Servers (p. 143), later in the process. Caution Do not create additional name server (NS) or start of authority (SOA) records in the Amazon Route 53 hosted zone, and do not delete the existing NS and SOA records. To create resource record sets using the Amazon Route 53 console, see Working with Resource Record Sets (p. 178). To create resource record sets using the Amazon Route 53 API, use ChangeResourceRecordSets. For more information, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. Checking the Status of Your Changes (API Only) Creating a new hosted zone and changing resource record sets take time to propagate to the Amazon Route 53 DNS servers. If you used POST ChangeResourceRecordSets to create your resource record sets, you can use the GetChange action to determine whether your changes have propagated. (ChangeResourceRecordSets returns a value for ChangeId, which you can include in a subsequent GetChange request. ChangeId is not available if you created the resource record sets by using the console.) For more information, see GET GetChange in the Amazon Route 53 API Reference. Note Changes generally propagate to all Amazon Route 53 name servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. Updating Your Registrar's Name Servers After your changes to Amazon Route 53 resource record sets have propagated to the Amazon Route 53 DNS servers (see Checking the Status of Your Changes (API Only) (p. 143)), update your registrar's name server (NS) records to refer to the Amazon Route 53 name servers. Perform the following procedure. 1. 2. If the registrar has a method to change the TTL settings for their name servers, we recommend that you reset the settings to 900 seconds. This limits the time during which client requests will try to resolve domain names using obsolete name servers. You will need to wait for the duration of the previous TTL for resolvers and clients to stop caching the DNS records with their previous values. A common default setting is 172800 seconds (two days). After the TTL settings expire, you can safely delete the records that are stored at the previous provider and make changes only to Amazon Route 53. In the Amazon Route 53 console, get the name servers for your Amazon Route 53 hosted zone: a. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. API Version 2013-04-01 143 Amazon Route 53 Developer Guide Waiting for Your Changes to Take Effect b. c. In the navigation pane, click Hosted Zones. On the Hosted Zones page, choose the radio button (not the name) for the hosted zone. d. In the right pane, make note of the four servers listed for Name Servers. Alternatively, you can use the GetHostedZone action. For more information, see GetHostedZone in the Amazon Route 53 API Reference. 3. Using the method provided by the registrar for the domain, replace the name servers in the registrar's NS records with the four Amazon Route 53 name servers that were returned when you submitted the GetHostedZone request in the previous step. Note Some registrars only allow you to specify name servers using IP addresses; they don't allow you to specify fully qualified domain names. If your registrar requires using IP addresses, you can get the IP addresses for your name servers using the dig utility (for Mac, Unix, or Linux) or the nslookup utility (for Windows). We rarely change the IP addresses of name servers; if we need to change IP addresses, we'll notify you in advance. Depending on the TTL settings for the name servers for the parent domain, the propagation of your changes to DNS resolvers can take 48 hours or more. During this period, DNS resolvers may still answer requests with the name servers for the registrar. In addition, client computers may continue to have the previous name servers for the domain in their cache. To learn more about working with your hosted zone, see the following related topics. Related Topics • • • • Getting the Name Servers for a Public Hosted Zone (p. 163) Listing Public Hosted Zones (p. 164) Deleting a Public Hosted Zone (p. 164) Listing Resource Record Sets (p. 233) Waiting for Your Changes to Take Effect You might have to wait a day or two before Amazon Route 53 becomes the DNS service for your domain name. If you've been using the domain name, DNS resolvers have cached the registrar's NS records for your domain. NS records are cached for the period specified by the TTL (time to live) in the records, which commonly is 86400 to 172800 seconds (one to two days). Until the TTL expires, DNS resolvers that have cached the registrar's NS records will continue to respond to queries for your domain with the name servers in those NS records. After the TTL expires for a resolver, the resolver submits another query for the NS records for your domain, and your registrar responds with your Amazon Route 53 NS records. Note If you don't remember the TTL for your registrar's NS records, you can still find it until the TTL expires. Use a tool like dig or nslookup to query DNS for the NS records of your domain. API Version 2013-04-01 144 Amazon Route 53 Developer Guide Creating a Subdomain That Uses Amazon Route 53 as the DNS Service without Migrating the Parent Domain Creating a Subdomain That Uses Amazon Route 53 as the DNS Service without Migrating the Parent Domain You can create a subdomain that uses Amazon Route 53 as the DNS service without migrating the parent domain from another DNS service. The process has four basic steps: 1. Create an Amazon Route 53 hosted zone for the subdomain (p. 145). 2. Add resource record sets (p. 146) for the new subdomain to your Amazon Route 53 hosted zone. 3. API only: Confirm that your changes have propagated (p. 146) to all Amazon Route 53 DNS servers. Note Currently, the only way to verify that changes have propagated is to use the GetChange API action. Changes generally propagate to all Amazon Route 53 name servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. 4. Update the DNS service for the parent domain by adding name server records for the subdomain (p. 146). Creating a Hosted Zone for the New Subdomain When you want to use Amazon Route 53 as the DNS service for a new subdomain without migrating the parent domain, you start by creating a hosted zone for the subdomain. Amazon Route 53 stores information about your subdomain in the hosted zone. Note When you create a hosted zone, Amazon Route 53 automatically creates four name server (NS) records and a start of authority (SOA) record for the zone. The NS records identify the name servers that you give to your registrar or your DNS service so that queries are routed to Amazon Route 53 name servers. For more information about NS and SOA records, see NS and SOA Resource Record Sets that Amazon Route 53 Creates for a Public Hosted Zone (p. 169). To create a hosted zone using the Amazon Route 53 console, perform the following procedure. To create a hosted zone using the Amazon Route 53 API, use the CreateHostedZone action. For more information, see POST CreateHostedZone in the Amazon Route 53 API Reference. To create a hosted zone using the Amazon Route 53 console 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. If you're new to Amazon Route 53, choose Get Started Now under DNS Management. If you're already using Amazon Route 53, choose Hosted Zones in the navigation pane. 3. 4. In the right pane, enter the name of the subdomain, such as apex.example.com.You can also enter an optional comment. For more information about a field, see the tool tip for the field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Below the right pane, choose Create Hosted Zone. API Version 2013-04-01 145 Amazon Route 53 Developer Guide Creating Resource Record Sets Creating Resource Record Sets You can create resource record sets using either the Amazon Route 53 console or the Amazon Route 53 API. The resource record sets that you create in Amazon Route 53 will become the resource record sets that DNS uses after you delegate responsibility for the subdomain to Amazon Route 53, as explained in Updating Your DNS Service with Name Server Records for the Subdomain (p. 146), later in the process. Caution Do not create additional name server (NS) or start of authority (SOA) records in the Amazon Route 53 hosted zone, and do not delete the existing NS and SOA records. To create resource record sets using the Amazon Route 53 console, see Working with Resource Record Sets (p. 178). To create resource record sets using the Amazon Route 53 API, use ChangeResourceRecordSets. For more information, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. Checking the Status of Your Changes (API Only) Creating a new hosted zone and changing resource record sets take time to propagate to the Amazon Route 53 DNS servers. If you used POST ChangeResourceRecordSets to create your resource record sets, you can use the GetChange action to determine whether your changes have propagated. (ChangeResourceRecordSets returns a value for ChangeId, which you can include in a subsequent GetChange request. ChangeId is not available if you created the resource record sets by using the console.) For more information, see GET GetChange in the Amazon Route 53 API Reference. Note Changes generally propagate to all Amazon Route 53 name servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. Updating Your DNS Service with Name Server Records for the Subdomain After your changes to Amazon Route 53 resource record sets have propagated (see Checking the Status of Your Changes (API Only) (p. 146)), update the DNS service for the parent domain by adding NS records for the subdomain. This is known as delegating responsibility for the subdomain to Amazon Route 53. For example, if the parent domain example.com is hosted with another DNS service and you created the subdomain test.example.com in Amazon Route 53, you must update the DNS service for example.com with new NS records for test.example.com. Perform the following procedure. 1. Using the method provided by your DNS service, back up the zone file for the parent domain. 2. In the Amazon Route 53 console, get the name servers for your Amazon Route 53 hosted zone: a. b. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, click Hosted Zones. c. d. On the Hosted Zones page, choose the radio button (not the name) for the hosted zone. In the right pane, make note of the four servers listed for Name Servers. Alternatively, you can use the GetHostedZone action. For more information, see GetHostedZone in the Amazon Route 53 API Reference. API Version 2013-04-01 146 Amazon Route 53 Developer Guide Migrating DNS Service for a Subdomain to Amazon Route 53 without Migrating the Parent Domain 3. Using the method provided by the DNS service of the parent domain, add NS records for the subdomain to the zone file for the parent domain. In these NS records, specify the four Amazon Route 53 name servers that are associated with the hosted zone that you created in Step 1. Caution Do not add a start of authority (SOA) record to the zone file for the parent domain. Because the subdomain will use Amazon Route 53, the DNS service for the parent domain is not the authority for the subdomain. If your DNS service automatically added an SOA record for the subdomain, delete the record for the subdomain. However, do not delete the SOA record for the parent domain. Migrating DNS Service for a Subdomain to Amazon Route 53 without Migrating the Parent Domain You can migrate a subdomain to use Amazon Route 53 as the DNS service without migrating the parent domain from another DNS service. The process has four basic steps: 1. 2. 3. 4. Create an Amazon Route 53 hosted zone for the subdomain (p. 147). Get the current DNS configuration from the current DNS service provider for the parent domain (p. 148). Add resource record sets (p. 148) for the subdomain to your Amazon Route 53 hosted zone. API only: Confirm that your changes have propagated (p. 148) to all Amazon Route 53 DNS servers. Note Currently, the only way to verify that changes have propagated is to use the GetChange API action. Changes generally propagate to all Amazon Route 53 name servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. 5. Update the DNS configuration with the DNS service provider for the parent domain by adding name server records for the subdomain (p. 149). Creating a Hosted Zone for the Subdomain If you want to migrate a subdomain from another DNS service to Amazon Route 53 but you don't want to migrate the parent domain, start by creating a hosted zone for the subdomain. Amazon Route 53 stores information about your subdomain in the hosted zone. Note When you create a hosted zone, Amazon Route 53 automatically creates four name server (NS) records and a start of authority (SOA) record for the zone. The NS records identify the name servers that you give to your registrar or your DNS service so that queries are routed to Amazon Route 53 name servers. For more information about NS and SOA records, see NS and SOA Resource Record Sets that Amazon Route 53 Creates for a Public Hosted Zone (p. 169). To create a hosted zone using the Amazon Route 53 console, perform the following procedure. To create a hosted zone using the Amazon Route 53 API, use the CreateHostedZone action. For more information, see POST CreateHostedZone in the Amazon Route 53 API Reference. API Version 2013-04-01 147 Amazon Route 53 Developer Guide Getting Your Current DNS Configuration from Your DNS Service Provider To create a hosted zone using the Amazon Route 53 console 1. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. 2. If you're new to Amazon Route 53, choose Get Started Now under DNS Management. If you're already using Amazon Route 53, choose Hosted Zones in the navigation pane. 3. 4. In the right pane, enter the name of the subdomain, such as apex.example.com.You can also enter an optional comment. For more information about a field, see the tool tip for the field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Below the right pane, choose Create Hosted Zone. Getting Your Current DNS Configuration from Your DNS Service Provider To simplify the process of migrating an existing subdomain to Amazon Route 53, get the current DNS configuration for the domain from the DNS service provider that is currently servicing the domain. You can use this information as a basis for configuring Amazon Route 53 as the DNS service for the subdomain. What you ask for and the format that it comes in depends on which company you're currently using as your DNS service provider. Ideally, they'll give you a zone file, which contains information about all of the resource record sets in your current configuration. (Resource record sets tell DNS how you want traffic to be routed for your domains and subdomains. For example, when someone enters your domain name in a web browser, do you want traffic to be routed to a web server in your data center, to an Amazon EC2 instance, to a CloudFront distribution, or to some other location?) If you can get a zone file from your current DNS service provider, you can edit the zone file to remove the resource record sets that you don't want to migrate to Amazon Route 53. Then you can import the remaining resource record sets into your Amazon Route 53 hosted zone, which greatly simplifies the process. Try asking customer support for your current DNS service provider how to get a zone file or a records list. Creating Resource Record Sets Using the resource record sets that you got from your current DNS service provider as a starting point, create corresponding resource record sets in the Amazon Route 53 hosted zone that you created for the subdomain. The resource record sets that you create in Amazon Route 53 will become the resource record sets that DNS uses after you delegate responsibility for the subdomain to Amazon Route 53, as explained in Updating Your DNS Service with Name Server Records for the Subdomain (p. 149), later in the process. Caution Do not create additional name server (NS) or start of authority (SOA) records in the Amazon Route 53 hosted zone, and do not delete the existing NS and SOA records. To create resource record sets using the Amazon Route 53 console, see Working with Resource Record Sets (p. 178). To create resource record sets using the Amazon Route 53 API, use ChangeResourceRecordSets. For more information, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. Checking the Status of Your Changes (API Only) Creating a new hosted zone and changing resource record sets take time to propagate to the Amazon Route 53 DNS servers. If you used POST ChangeResourceRecordSets to create your resource record API Version 2013-04-01 148 Amazon Route 53 Developer Guide Updating Your DNS Service with Name Server Records for the Subdomain sets, you can use the GetChange action to determine whether your changes have propagated. (ChangeResourceRecordSets returns a value for ChangeId, which you can include in a subsequent GetChange request. ChangeId is not available if you created the resource record sets by using the console.) For more information, see GET GetChange in the Amazon Route 53 API Reference. Note Changes generally propagate to all Amazon Route 53 name servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. Updating Your DNS Service with Name Server Records for the Subdomain After your changes to Amazon Route 53 resource record sets have propagated (see Checking the Status of Your Changes (API Only) (p. 148)), update the DNS service for the parent domain by adding NS records for the subdomain. This is known as delegating responsibility for the subdomain to Amazon Route 53. For example, suppose the parent domain example.com is hosted with another DNS service and you're migrating the subdomain test.example.com to Amazon Route 53. You must create a hosted zone for test.example.com and update the DNS service for example.com with the NS records that Amazon Route 53 assigned to the new hosted zone for test.example.com. Perform the following procedure. 1. 2. 3. Using the method provided by your DNS service, back up the zone file for the parent domain. If the previous DNS service provider for the domain has a method to change the TTL settings for their name servers, we recommend that you change the settings to 900 seconds. This limits the time during which client requests will try to resolve domain names using obsolete name servers. If the current TTL is 172800 seconds (two days), which is a common default setting, you still need to wait two days for resolvers and clients to stop caching DNS records using the previous TTL. After the TTL settings expire, you can safely delete the records that are stored at the previous provider and make changes only to Amazon Route 53. In the Amazon Route 53 console, get the name servers for your Amazon Route 53 hosted zone: a. b. c. d. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, click Hosted Zones. On the Hosted Zones page, choose the radio button (not the name) for the hosted zone. In the right pane, make note of the four servers listed for Name Servers. Alternatively, you can use the GetHostedZone action. For more information, see GetHostedZone in the Amazon Route 53 API Reference. 4. Using the method provided by the DNS service of the parent domain, add NS records for the subdomain to the zone file for the parent domain. Give the NS records the same name as the subdomain. For the values in the NS records, specify the four Amazon Route 53 name servers that are associated with the hosted zone that you created in Step 2. Note that different DNS services use different terminology. You might need to contact technical support for your DNS service to learn how to perform this step. Caution Do not add a start of authority (SOA) record to the zone file for the parent domain. Because the subdomain will use Amazon Route 53, the DNS service for the parent domain is not the authority for the subdomain. If your DNS service automatically added an SOA record for the subdomain, delete the record for the subdomain. However, do not delete the SOA record for the parent domain. API Version 2013-04-01 149 Amazon Route 53 Developer Guide Updating Your DNS Service with Name Server Records for the Subdomain 5. Depending on the TTL settings for the name servers for the parent domain, the propagation of your changes to DNS resolvers can take 48 hours or more. During this period, DNS resolvers may still answer requests with the name servers for the DNS service of the parent domain. In addition, client computers may continue to have the previous name servers for the subdomain in their cache. After the registrar's TTL settings for the domain expire (see Step 2), delete the following resource record sets from the zone file for the parent domain: • The resource record sets that you added to Amazon Route 53 as described in Creating Resource Record Sets (p. 148). • Your DNS service's NS records. When you are finished deleting NS records, the only NS records in the zone file will be the ones that you created in Step 4. API Version 2013-04-01 150 Amazon Route 53 Developer Guide Routing Traffic to an Amazon CloudFront Distribution (Public Hosted Zones Only) Routing Traffic to AWS Resources You can use Amazon Route 53 to route traffic to a variety of AWS resources. • • • • • • • Routing Traffic to an Amazon CloudFront Distribution (Public Hosted Zones Only) (p. 151) Routing Traffic to an AWS Elastic Beanstalk Environment (p. 152) Routing Traffic to an Elastic Load Balancing Load Balancer (p. 155) Routing Traffic to an Amazon EC2 Instance (p. 156) Routing Traffic to a Website That Is Hosted in an Amazon S3 Bucket (p. 156) Opening Connections to an Amazon RDS Database Instance Using Your Domain Name (p. 157) Routing Traffic to Amazon WorkMail (Public Hosted Zones Only) (p. 159) Routing Traffic to an Amazon CloudFront Distribution (Public Hosted Zones Only) If you're using CloudFront to distribute your content, you can use Amazon Route 53 to route traffic to your CloudFront distribution. The name of your Amazon Route 53 hosted zone (such as example.com) must match an alternate domain name in the CloudFront distribution.You cannot route traffic to the CloudFront domain name for your distribution (such as d111111abcdef8.cloudfront.net). The following procedure assumes that you have already registered the applicable domain names. Note You can route traffic to a CloudFront distribution only for public hosted zones. To route traffic to an Amazon CloudFront distribution 1. Create your CloudFront distribution, and add one or more alternate domain names (example.com, www.example.com) to the distribution. For more information, see the following topics in the Amazon CloudFront Developer Guide: • Creating Web Distributions • Creating RTMP Distributions • Using Alternate Domain Names API Version 2013-04-01 151 Amazon Route 53 Developer Guide Routing Traffic to an AWS Elastic Beanstalk Environment 2. If Amazon Route 53 is not the DNS service for one or more of the alternate domain names that you added to your distribution, migrate DNS service for those domains to Amazon Route 53. For more information, see the applicable topic: • Creating a Subdomain That Uses Amazon Route 53 as the DNS Service without Migrating the Parent Domain (p. 145) • Migrating DNS Service for an Existing Domain to Amazon Route 53 (p. 141) • Migrating DNS Service for a Subdomain to Amazon Route 53 without Migrating the Parent Domain (p. 147) If you want to route traffic both for an alternate domain name that is the root domain (example.com) and for one or more subdomains (www.example.com, product-name.example.com) to your CloudFront distribution, you only need to create a hosted zone for the root domain. 3. If you want to route traffic for more than one alternate domain name that is the root domain, for example, the domain name and various misspellings of your domain name (example.com, ex-ample.com), create one hosted zone for each root domain name. You must register each domain name that you want to use. Create one or more alias resource record sets that route traffic to your CloudFront distribution: • To route traffic for the root domain (such as example.com), create an alias resource record set for the root domain name. To route traffic for more than one root domain (example.com, ex-ample.com), in each hosted zone that you created in step 2, create an alias resource record set that has the same name as the hosted zone. • To route traffic for subdomains (such as acme.example.com), create one alias resource record set for each subdomain. Note The name of each alias resource record set must match an alternate domain name in the distribution that you want Amazon Route 53 to route traffic to. For more information about alias resource record sets in Amazon Route 53, see Choosing Between Alias and Non-Alias Resource Record Sets (p. 182). For information about creating resource record sets, see Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184). Routing Traffic to an AWS Elastic Beanstalk Environment If you're using AWS Elastic Beanstalk to deploy and manage applications in the AWS Cloud, you can use Amazon Route 53 to route DNS traffic for your domain, such as example.com, to a new or an existing Elastic Beanstalk environment. To route DNS traffic to an Elastic Beanstalk environment, see the procedures in the following topics. Note These procedures assume that you're already using Amazon Route 53 as the DNS service for your domain. If you're using another DNS service, see Configuring Amazon Route 53 as Your DNS Service (p. 141) for information about migrating your DNS service to Amazon Route 53. Topics • Deploying an Application into an Elastic Beanstalk Environment (p. 153) API Version 2013-04-01 152 Amazon Route 53 Developer Guide Deploying an Application into an Elastic Beanstalk Environment • Getting the Domain Name for Your Elastic Beanstalk Environment (p. 153) • Creating an Amazon Route 53 Resource Record Set that Routes Traffic to Your Elastic Beanstalk Environment (p. 153) Deploying an Application into an Elastic Beanstalk Environment If you already have an Elastic Beanstalk environment that you want to route traffic to, skip to Getting the Domain Name for Your Elastic Beanstalk Environment (p. 153). To create an application and deploy it into an Elastic Beanstalk environment • For information about creating an application and deploying it to an Elastic Beanstalk environment, see Getting Started Using Elastic Beanstalk in the AWS Elastic Beanstalk Developer Guide. Getting the Domain Name for Your Elastic Beanstalk Environment If you already know the domain name for your Elastic Beanstalk environment, skip to Creating an Amazon Route 53 Resource Record Set that Routes Traffic to Your Elastic Beanstalk Environment (p. 153). To get the domain name for your Elastic Beanstalk environment 1. 2. Sign in to the AWS Management Console and open the Elastic Beanstalk console at https:// console.aws.amazon.com/elasticbeanstalk/. In the list of applications, find the application that you want to route traffic to, and get the value of URL. Creating an Amazon Route 53 Resource Record Set that Routes Traffic to Your Elastic Beanstalk Environment An Amazon Route 53 resource record set contains the settings that control how traffic is routed to your Elastic Beanstalk environment. You create either a CNAME resource record set or an alias resource record set, depending on whether the domain name for the environment includes the region, such as us-east-1, in which you deployed the environment. New environments include the region in the domain name; environments that were created before early 2016 do not. For a comparison of CNAME and alias resource record sets, see Choosing Between Alias and Non-Alias Resource Record Sets (p. 182). If the domain name does not include the region You must create a CNAME resource record set. You can't create a CNAME resource record set for the root domain name. For example, if your domain name is example.com, you can create a resource record set that routes traffic for acme.example.com to your Elastic Beanstalk environment, but you can't create a resource record set that routs traffic for example.com to your Elastic Beanstalk environment. See the procedure To create a CNAME resource record set to route traffic to an Elastic Beanstalk environment (p. 154). API Version 2013-04-01 153 Amazon Route 53 Developer Guide Creating an Amazon Route 53 Resource Record Set If the domain name includes the region You can create an alias resource record set. An alias resource record set is specific to Amazon Route 53 and has two significant advantages over CNAME resource record sets: • You can create alias resource record sets for the root domain name or for subdomains. For example, if your domain name is example.com, you can create a resource record set that routes requests for example.com or for acme.example.com to your Elastic Beanstalk environment. • Amazon Route 53 doesn't charge for requests that use an alias resource record set to route traffic. See the procedure To create an Amazon Route 53 alias resource record set to route traffic to an Elastic Beanstalk environment (p. 154). To create a CNAME resource record set to route traffic to an Elastic Beanstalk environment 1. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. 2. 3. In the navigation pane, choose Hosted Zones. Choose the hosted zone that has the domain name for which you want to route traffic to your Elastic Beanstalk environment. Choose Create Record Set. Specify the following values: 4. 5. Name Type the domain name for which you want to route traffic to your Elastic Beanstalk environment. The default value is the name of the hosted zone. For example, if the name of the hosted zone is example.com and you want to route traffic to acme.example.com, type acme. Important You can't create a CNAME record that has the same name as the hosted zone. Type Choose CNAME – Canonical name. Alias Choose No. TTL (Seconds) Accept the default value of 300. Value Type the domain name of the environment that you want to route traffic to. This is the value that you get when you perform the procedure in the topic Getting the Domain Name for Your Elastic Beanstalk Environment (p. 153). Routing Policy Accept the default value, Simple. 6. Choose Create. Changes generally propagate to all Amazon Route 53 servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. To create an Amazon Route 53 alias resource record set to route traffic to an Elastic Beanstalk environment 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Hosted Zones. API Version 2013-04-01 154 Amazon Route 53 Developer Guide Routing Traffic to an Elastic Load Balancing Load Balancer 3. 4. 5. Choose the hosted zone that has the domain name for which you want to route traffic to your Elastic Beanstalk environment. Choose Create Record Set. Specify the following values: Name Type the domain name for which you want to route traffic to your Elastic Beanstalk environment. The default value is the name of the hosted zone. For example, if the name of the hosted zone is example.com and you want to route traffic to acme.example.com, type acme. Type Accept the default, A – Ipv4 address. Alias Choose Yes. Alias Target Click in the field, and choose the domain name of the environment that you want to route traffic to. This is the value that you get when you perform the procedure in the topic Getting the Domain Name for Your Elastic Beanstalk Environment (p. 153). Alias Hosted Zone ID This value appears automatically based on the environment that you choose for Alias Target. Routing Policy Accept the default value, Simple. Evaluate Target Health Accept the default value, No. 6. Choose Create. Changes generally propagate to all Amazon Route 53 servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. Routing Traffic to an Elastic Load Balancing Load Balancer If you're hosting a website on Amazon EC2 instances that are registered with a load balancer and you want to use Amazon Route 53 as the DNS service for your domain, follow the steps below. To route traffic to an Elastic Load Balancing load balancer 1. Use Elastic Load Balancing to set up a load balancer. If you're creating multiple alias resource record sets that have the same name and type (for example, weighted or latency alias resource record sets), create one load balancer for each resource record set. For more information about creating a load balancer, go to Getting Started with Elastic Load Balancing in the Elastic Load Balancing Developer Guide. Tip Give the load balancer a name that will help you remember what it's for later. The name you specify when you create a load balancer is the name you'll choose when you create an alias resource record sets in Amazon Route 53. 2. Create an Amazon Route 53 hosted zone. For more information, see Creating a Public Hosted Zone (p. 162). API Version 2013-04-01 155 Amazon Route 53 Developer Guide Routing Traffic to an Amazon EC2 Instance 3. Create alias resource record sets in your hosted zone. For more information, see Working with Resource Record Sets (p. 178). Routing Traffic to an Amazon EC2 Instance If you're hosting a website on an Amazon EC2 server and you want to use Amazon Route 53 as the DNS service for your domain, follow the steps below. To route traffic to an Amazon EC2 instance 1. Launch an Amazon EC2 instance. For more information, see the Amazon EC2 Getting Started Guide. Note We recommend that you also create an Elastic IP address and associate it with your Amazon EC2 instance. An Elastic IP address ensures that the IP address of your Amazon EC2 instance will never change. 2. 3. Create an Amazon Route 53 hosted zone. For more information, see Creating a Public Hosted Zone (p. 162). Create a resource record set in your hosted zone. For Type, choose A – Ipv4 address. For Value, specify the Elastic IP address for your Amazon EC2 instance. For more information about creating a resource record set, see Working with Resource Record Sets (p. 178). Routing Traffic to a Website That Is Hosted in an Amazon S3 Bucket If you're hosting a website in an Amazon S3 bucket and you want to use Amazon Route 53 as the DNS service for your domain, follow the steps below. To route traffic to a website that is hosted in an Amazon S3 bucket 1. 2. Create an Amazon S3 bucket that is configured as a website. For more information, see Hosting Websites on Amazon S3 in the Amazon Simple Storage Service Developer Guide. Create a subdomain that uses Amazon Route 53 as the DNS service, or migrate an existing domain or subdomain to Amazon Route 53. For more information, see the applicable topic: • Creating a Subdomain That Uses Amazon Route 53 as the DNS Service without Migrating the Parent Domain (p. 145) • Migrating DNS Service for an Existing Domain to Amazon Route 53 (p. 141) • Migrating DNS Service for a Subdomain to Amazon Route 53 without Migrating the Parent Domain (p. 147) 3. Create an alias resource record set that routes traffic for your domain name to the Amazon S3 domain name for your bucket. For more information about alias resource record sets, see Choosing Between Alias and Non-Alias Resource Record Sets (p. 182). API Version 2013-04-01 156 Amazon Route 53 Developer Guide Opening Connections to an Amazon RDS Database Instance Using Your Domain Name Opening Connections to an Amazon RDS Database Instance Using Your Domain Name If you use an Amazon RDS database instance for data storage for your web application, the domain name that is assigned to your DB instance is a long, partially random, alphanumeric string, for example: myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com Whenever you open a connection to your Amazon RDS DB instance, you must specify the domain name in your application code. If you want to use a domain name that's easier to remember, you can use your own domain name instead. To do this, you can use Amazon Route 53 to create a CNAME resource record set that associates your domain name with the domain name of your DB instance. For example, you could create a CNAME resource record set to map productdata.example.com to the domain name myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com. After you create the CNAME record, you can use productdata.example.com in your application code whenever you open a connection to your Amazon RDS DB instance. In addition to letting you use a name that's easier to remember, the CNAME resource record set makes it easier for you to replace one DB instance with another. Instead of updating all of your code with the domain name of a new DB instance, you can just change the domain name of the DB instance in the CNAME resource record set. Note You must use a CNAME resource record set to associate a domain name with an Amazon RDS DB instance. Amazon Route 53 doesn't support using other types of resource record sets for this purpose. For more information, see Working with Resource Record Sets (p. 178). Prerequisites Before you get started, you need the following: • An Amazon RDS DB instance. • A registered domain name. (You don't need to use Amazon Route 53 as the domain registrar.) • Amazon Route 53 as the DNS service for the domain. To use the procedures in this topic, Amazon Route 53 must be your DNS service provider, but you can also create a CNAME resource record set with another DNS service provider. For more information, see Configuring Amazon Route 53 as Your DNS Service (p. 141). Configuring Amazon Route 53 So You Can Use Your Domain Name to Open Connections To configure Amazon Route 53 so you can use your domain name to open connections to an Amazon RDS database instance, perform the following procedures. First you get the domain name that is associated with your DB instance, and then you create a CNAME resource record set that maps your domain name to the domain name of your DB instance. API Version 2013-04-01 157 Amazon Route 53 Developer Guide Configuring Amazon Route 53 So You Can Use Your Domain Name to Open Connections Getting the domain name for your Amazon RDS DB instance 1. Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/. 2. 3. 4. In the regions list in the upper-right corner of the console, change to the region where you created the DB instance that you want to open connections to. In the navigation pane, choose Instances. In the table, expand the DB instance that you want to open connections to. 5. Get the value of Endpoint. Creating a CNAME resource record set 1. 2. 3. 4. 5. Open the Amazon Route 53 console at https://console.aws.amazon.com/route53/. In the navigation pane, choose Hosted Zones. Choose the hosted zone that has the domain name that you want to use to open connections to your DB instance. Choose Create Record Set. Specify the following values: Name Type the domain name that you want to use to open connections to your DB instance. The default value is the name of the hosted zone. For example, if the name of the hosted zone is example.com and you want to use the domain name acme.example.com to open connections to your DB instance, type acme. Important You can't create a CNAME record that has the same name as the hosted zone. Type Choose CNAME – Canonical name. Alias Choose No. TTL (Seconds) Accept the default value of 300. Value Type the domain name of the DB instance that you want to open connections to. This is the value that you got when you performed the procedure Getting the domain name for your Amazon RDS DB instance (p. 158). Routing Policy Accept the default value of Simple. 6. Choose Create. Changes generally propagate to all Amazon Route 53 servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. When propagation is complete, you'll be able to open connections to your DB instance by using the name of the CNAME resource record set that you created in this procedure. API Version 2013-04-01 158 Amazon Route 53 Developer Guide Routing Traffic to Amazon WorkMail (Public Hosted Zones Only) Routing Traffic to Amazon WorkMail (Public Hosted Zones Only) If you're using Amazon WorkMail for your business email and you're using Amazon Route 53 as your DNS service, you can use Amazon Route 53 to route traffic to your Amazon WorkMail email domain. The name of your Amazon Route 53 hosted zone (such as example.com) must match the name of an Amazon WorkMail domain. Note You can route traffic to an Amazon WorkMail domain only for public hosted zones. To route traffic to Amazon WorkMail, perform the following four procedures. To configure Amazon Route 53 as your DNS service and add an Amazon WorkMail organization and email domain 1. If you haven't registered the domain name that you want to use in your email addresses (such as john@example.com), register the domain now so you know that the domain is available. For more information, see Registering a New Domain (p. 14). If Amazon Route 53 is not the DNS service for the email domain that you added to Amazon WorkMail, migrate DNS service for the domain to Amazon Route 53. For more information, see the applicable topic: • Creating a Subdomain That Uses Amazon Route 53 as the DNS Service without Migrating the Parent Domain (p. 145) • Migrating DNS Service for an Existing Domain to Amazon Route 53 (p. 141) • Migrating DNS Service for a Subdomain to Amazon Route 53 without Migrating the Parent Domain (p. 147) 2. Add an Amazon WorkMail organization and email domain. For more information, see Getting Started for New Users in the Amazon WorkMail Administrator Guide. To create a Amazon Route 53 TXT resource record set for Amazon WorkMail 1. In the navigation pane of the Amazon WorkMail console, choose Domains. 2. Choose the name of the email domain, such as example.com, for which you want to route traffic to Amazon WorkMail. Open another browser tab, and open the Amazon Route 53 console. In the Amazon Route 53 console, do the following: 3. 4. a. b. 5. 6. In the navigation pane, choose Hosted Zones. Choose the name of the hosted zone that you want to use for your Amazon WorkMail email domain. In the Amazon WorkMail console, in the section Step 1: Verify domain ownership, go to the Hostname column, and copy the part of the value that precedes your email domain name. For example, if your Amazon WorkMail email domain is example.com and the value of Hostname is _amazonses.example.com, copy _amazonses. In the Amazon Route 53 console, do the following: a. Choose Create Record Set. API Version 2013-04-01 159 Amazon Route 53 Developer Guide Routing Traffic to Amazon WorkMail (Public Hosted Zones Only) b. c. 7. 8. For Name, paste the value that you copied in step 5. For Type, choose TXT – Text. In the Amazon WorkMail console, for the TXT record, copy the value of the Value column, including the quotation marks. In the Amazon Route 53 console, do the following: a. For Value, paste the value that you copied in step 7. Don't change any other settings. b. Choose Create. To create a Amazon Route 53 MX resource record set for Amazon WorkMail 1. 2. In the Amazon WorkMail console, in the section Step 2: Finalize domain setup, go to the row for which the value of Record type is MX, and copy the value of the Value column. In the Amazon Route 53 console, do the following: a. b. c. Choose Create Record Set. For Value, paste the value that you copied in step 1. For Type, choose MX – Mail Exchange. d. Don't change any other settings. Choose Create. To create four Amazon Route 53 CNAME resource record sets for Amazon WorkMail 1. 2. In the Amazon WorkMail console, in the section Step 2: Finalize domain setup, go to the first row for which the value of Record type is CNAME. In the Hostname column, copy the part of the value that precedes your email domain name. For example, if your Amazon WorkMail email domain is example.com and the value of Hostname is autodiscover.example.com, copy autodiscover. In the Amazon Route 53 console, do the following: a. b. c. 3. 4. Choose Create Record Set. For Name, paste the value that you copied in step 1. For Type, choose CNAME – Canonical Name. In the Amazon WorkMail console, in the first row for which the value of the Record type column is CNAME, copy the value of the Value column. In the Amazon Route 53 console, do the following: a. For Value, paste the value that you copied in step 3. Don't change any other settings. b. Choose Create. API Version 2013-04-01 160 Amazon Route 53 Developer Guide Routing Traffic to Amazon WorkMail (Public Hosted Zones Only) 5. Repeat steps 1 through 4 for the remaining CNAME records that are listed in the Amazon WorkMail console. API Version 2013-04-01 161 Amazon Route 53 Developer Guide Creating a Public Hosted Zone Working with Public Hosted Zones A public hosted zone is a container that holds information about how you want to route traffic on the Internet for a domain, such as example.com, and its subdomains (apex.example.com, acme.example.com). After you create a public hosted zone, you create resource record sets that determine how the Domain Name System (DNS) responds to queries for your domain and subdomains. For example, if you have one or more email addresses associated with your domain (john@example.com), you'll create an MX record in your hosted zone so that email is sent to the email server for your domain. For more information about resource record sets, see Working with Resource Record Sets (p. 178). This topic explains how to use the Amazon Route 53 console to create, list, and delete public hosted zones. For information about using the Amazon Route 53 API to perform these operations, see Actions on Public Hosted Zones in the Amazon Route 53 API Reference. You can also use an Amazon Route 53 private hosted zone to route traffic within one or more Amazon Virtual Private Clouds. For more information, see Working with Private Hosted Zones (p. 171). Topics • Creating a Public Hosted Zone (p. 162) • Getting the Name Servers for a Public Hosted Zone (p. 163) • Listing Public Hosted Zones (p. 164) • Deleting a Public Hosted Zone (p. 164) • Configuring White Label Name Servers (p. 165) • NS and SOA Resource Record Sets that Amazon Route 53 Creates for a Public Hosted Zone (p. 169) Creating a Public Hosted Zone A hosted zone is a collection of resource record sets for a specified domain. You create a hosted zone for a domain (such as example.com), and then you create resource record sets to tell the Domain Name System how you want traffic to be routed for that domain. When you create a hosted zone, Amazon Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record for the zone. The NS record identifies the four name servers that you give to your registrar or your DNS service so that DNS queries are routed to Amazon Route 53 name servers. For more information about NS and SOA records, see NS and SOA Resource Record Sets that Amazon Route 53 Creates for a Public Hosted Zone (p. 169). API Version 2013-04-01 162 Amazon Route 53 Developer Guide Getting the Name Servers for a Public Hosted Zone After you update the settings with your domain registrar to include the Amazon Route 53 name servers, Amazon Route 53 responds to DNS queries for the hosted zone even if you don't have a functioning website. For example, Amazon Route 53 responds with information about your hosted zone whenever someone enters your domain name in a web browser. By default, Amazon Route 53 assigns a unique set of four name servers (known collectively as a delegation set) to each hosted zone that you create. If you want to create a large number of hosted zones, you can use the Amazon Route 53 API to create a reusable delegation set. Then when you create hosted zones by using the Amazon Route 53 API, you can assign the same reusable delegation set—the same four name servers—to each hosted zone. (You can't specify a reusable delegation set when you created a hosted zone by using the Amazon Route 53 console.) Reusable delegation sets simplify migrating DNS service to Amazon Route 53 because you can instruct your domain name registrar to use the same four name servers for all of the domains for which you want Amazon Route 53 to be the DNS service. For more information about reusable delegation sets, see Actions on Reusable Delegation Sets in the Amazon Route 53 API Reference. For information about creating hosted zones by using the Amazon Route 53 API, see POST CreateHostedZone. You can create more than one hosted zone with the same name and add different resource record sets to each hosted zone. Amazon Route 53 assigns four name servers to every hosted zone, and the name servers are different for each of them. When you update your registrar's name server records, be careful to use the Amazon Route 53 name servers for the correct hosted zone—the one that contains the resource record sets that you want Amazon Route 53 to use when responding to queries for your domain. Amazon Route 53 never returns values for resource record sets in other hosted zones that have the same name. To create a hosted zone using the Amazon Route 53 console 1. 2. 3. 4. 5. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. If you're new to Amazon Route 53, choose Get Started Now under DNS Management. If you're already using Amazon Route 53, choose Hosted Zones in the navigation pane. Choose Create Hosted Zone. In the Create Hosted Zone pane, enter a domain name and, optionally, a comment. For more information about a setting, pause the mouse pointer over its label to see a tool tip. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Choose Create. Getting the Name Servers for a Public Hosted Zone If you're currently using another DNS service and you want to migrate to Amazon Route 53, you begin by creating a hosted zone. Amazon Route 53 automatically assigns four name servers to your hosted zone. To ensure that the Domain Name System routes queries for your domain to the Amazon Route 53 name servers, update your registrar's or your DNS service's NS records for the domain to replace the current name servers with the names of the four Amazon Route 53 name servers for your hosted zone. The method that you use to update the NS records depends on which registrar or DNS service you're using. For more information about migrating your DNS service to Amazon Route 53, see Configuring Amazon Route 53 as Your DNS Service (p. 141). Note Some registrars only allow you to specify name servers using IP addresses; they don't allow you to specify fully qualified domain names. If your registrar requires using IP addresses, you can get the IP addresses for your name servers using the dig utility (for Mac, Unix, or Linux) or the API Version 2013-04-01 163 Amazon Route 53 Developer Guide Listing Public Hosted Zones nslookup utility (for Windows). We rarely change the IP addresses of name servers; if we need to change IP addresses, we'll notify you in advance. The following procedure explains how to get the name servers for a hosted zone using the Amazon Route 53 console. For information about how to get name servers using the Amazon Route 53 API, see GET GetHostedZone in the Amazon Route 53 API Reference. To get the name servers for a hosted zone using the Amazon Route 53 console 1. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. 2. 3. In the navigation pane, click Hosted Zones. On the Hosted Zones page, choose the radio button (not the name) for the hosted zone. 4. In the right pane, make note of the four servers listed for Name Servers. Listing Public Hosted Zones You can use the Amazon Route 53 console to list all of the hosted zones that you created with the current AWS account. For information about how to list hosted zones using the Amazon Route 53 API, see GET ListHostedZones in the Amazon Route 53 API Reference. To list the public hosted zones associated with an AWS account using the Amazon Route 53 console 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the Amazon Route 53 console, the Hosted Zones page automatically displays a list of the hosted zones that are associated with the AWS account that you are currently signed in with. Deleting a Public Hosted Zone The following procedure explains how to delete a hosted zone using the Amazon Route 53 console. For information about how to delete a hosted zone using the Amazon Route 53 API, see DELETE DeleteHostedZone in the Amazon Route 53 API Reference. You can delete a hosted zone only if there are no resource record sets other than the default SOA and NS records. If your hosted zone contains other resource record sets, you must delete them before you can delete your hosted zone. This prevents you from accidentally deleting a hosted zone that still contains resource record sets. To delete a public hosted zone using the Amazon Route 53 console 1. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. 2. Confirm that the hosted zone that you want to delete contains only an NS and an SOA resource record set. If it contains additional resource record sets, delete them: a. b. Choose the name of the hosted zone that you want to delete. On the Record Sets page, if the list of resource record sets includes any resource record sets for which the value of the Type column is something other than NS or SOA, choose the row, and choose Delete Record Set. API Version 2013-04-01 164 Amazon Route 53 Developer Guide Configuring White Label Name Servers To select multiple, consecutive resource record sets, choose the first row, press and hold the Shift key, and choose the last row. To select multiple, non-consecutive resource record sets, choose the first row, press and hold the Ctrl key, and choose the remaining rows. Note If you created any NS records for subdomains in the hosted zone, delete those records, too. c. 3. 4. 5. Choose Back to Hosted Zones. On the Hosted Zones page, choose the row for the hosted zone that you want to delete. Choose Delete Hosted Zone. Choose OK to confirm. Configuring White Label Name Servers Each Amazon Route 53 hosted zone is associated with four name servers, known collectively as a delegation set. By default, the name servers have names like ns-2048.awsdns-64.com. If you want the domain name of your name servers to be the same as the domain name of your hosted zone, for example, ns1.example.com, you can configure white label name servers, also known as vanity name servers or private name servers. The following procedure explains how to configure one set of four white label name servers that you can reuse for multiple domains. For example, suppose you own the domains example.com, example.org, and example.net. With this procedure, you can configure white label name servers for example.com and reuse them for example.org and example.net. To configure white label name servers for your Amazon Route 53 hosted zones 1. Create an Amazon Route 53 reusable delegation set by using the Amazon Route 53 API, the AWS CLI, or one of the AWS SDKs. For more information, see the following documentation: • Amazon Route 53 API – See POST CreateReusableDelegationSet in the Amazon Route 53 API Reference • AWS CLI – See create-reusable-delegation-set in the AWS Command Line Interface Reference • AWS SDKs See the applicable SDK documentation on the AWS Documentation page 2. Create or recreate Amazon Route 53 hosted zones: • If you aren't currently using Amazon Route 53 as the DNS service for the domains for which you want to use white label name servers – Create the hosted zones and specify the reusable delegation set that you created in the previous step with each hosted zone. For more information, see POST CreateHostedZone (Public) in the Amazon Route 53 API Reference. • If you are using Amazon Route 53 as the DNS service for the domains for which you want to use white label name servers – You must recreate the hosted zones for which you want to use white label name servers, and specify the reusable delegation set that you created in the previous step for each hosted zone. For more information about creating hosted zones and specifying a reusable delegation set for the name servers for the hosted zones, see POST CreateHostedZone (Public) in the Amazon Route 53 API Reference. API Version 2013-04-01 165 Amazon Route 53 Developer Guide Configuring White Label Name Servers Important You cannot change the name servers that are associated with an existing hosted zone. You can associate a reusable delegation set with a hosted zone only when you create the hosted zone. When you create the hosted zones and before you try to access the resources for the corresponding domains, change the following TTL values for each hosted zone: • Change the TTL for the NS record for the hosted zone to 60 seconds or less. • Change the minimum TTL for the SOA record for the hosted zone to 60 seconds or less. This is the last value in the SOA record. 3. Changing the minimum TTL to 60 seconds or less will temporarily increase your bill because DNS resolvers will send more queries to Amazon Route 53. (This procedure tells you when you can change the TTL to a higher value.) However, if you accidentally give your registrar the wrong IP addresses for your white label name servers, your website will become unavailable and remain unavailable for the duration of the TTL after you correct the problem. By setting a low TTL, you reduce the amount of time that your website is unavailable. Create resource record sets in the new hosted zones: • If you're migrating DNS service for your domains to Amazon Route 53 – You might be able to create resource record sets by importing information about your existing resource record sets. For more information, see Creating Resource Record Sets By Importing a Zone File (p. 230). • If you're replacing existing hosted zones so that you can use white label name servers – In the new hosted zones, recreate the resource record sets that appear in your current hosted zones. Amazon Route 53 doesn't provide a method of exporting resource record sets from a hosted zone, but some third-party vendors do. You can then use the Amazon Route 53 import feature to import non-alias resource record sets for which the routing policy is simple. There is no way to export and re-import alias resource record sets or resource record sets for which the routing policy is anything other than simple. For information about creating resource record sets by using the Amazon Route 53 API, see POST CreateHostedZone (Public) in the Amazon Route 53 API Reference. For information about creating resource record sets by using the Amazon Route 53 console, see Working with Resource Record Sets (p. 178). 4. Get the IP addresses of the name servers in the reusable delegation set, and fill in the following table. Name of a name server in your reusable delegation IP address set (example: ns-2048.awsdns-64.com) Name that you want to assign to the white label name server (example: ns1.example.com) For example, suppose the four name servers for your reusable delegation set are: • ns-2048.awsdns-64.com API Version 2013-04-01 166 Amazon Route 53 Developer Guide Configuring White Label Name Servers • ns-2049.awsdns-65.net • ns-2050.awsdns-66.org • ns-2051.awsdns-67.co.uk Run the applicable command for each name server to get the corresponding IP addresses. dig command for Linux % dig ns-2048.awsdns-64.com +short 192.0.2.117 nslookup command for Windows c:\> nslookup ns-2048.awsdns-64.com Server: ns-2048.awsdns-64.com Address: 192.0.2.117 5. In the hosted zone that has the same name (such as example.com) as the domain name of the white label name servers (such as ns1.example.com), create four resource record sets, one for each white label name server. Important If you're using the same white label name servers for two or more hosted zones, do not perform this step for the other hosted zones. For each resource record set, specify the following values. Refer to the table that you filled in for the previous step: Name The name that you want to assign to one of your white label name servers, for example, ns1.example.com. For the prefix (ns1 in this example), you can use any value that is valid in a domain name. Type Specify A. Alias Specify No. TTL This value is the amount of time that DNS resolvers cache the information in this resource record set before forwarding another DNS query to Amazon Route 53. We recommend that you specify an initial value of 60 seconds or less, so that you can recover quickly if you accidentally specify incorrect values in these resource record sets. Value The IP address of one of the Amazon Route 53 name servers in your reusable delegation set. Caution If you specify the wrong IP addresses when you created resource record sets for your white label name servers, when you perform subsequent steps your website or web application will become unavailable on the Internet. Even if you correct the IP addresses immediately, your website or web application will remain unavailable for the duration of the TTL. Routing Policy Specify Simple. API Version 2013-04-01 167 Amazon Route 53 Developer Guide Configuring White Label Name Servers 6. Update SOA and NS records in the hosted zones for which you want to use white label name servers. Perform steps 6 through 8 for one hosted zone and the corresponding domain at a time, then repeat for another hosted zone and domain. Important Start with the Amazon Route 53 hosted zone that has the same domain name (such as example.com) as the white label name servers (such as ns1.example.com). a. Update the SOA record. Replace the name of the Amazon Route 53 name server (ns-2048.awsdns-64.net. in the following example) with the name of one of your white label name servers: ns-2048.awsdns-64.net. hostmaster.example.com. 1 7200 900 1209600 60 For information about updating resource record sets by using the Amazon Route 53 console, see Editing Resource Record Sets (p. 232). 7. b. In the NS record, make note of the names of the current name servers for the domain, so you can revert to these name servers if necessary. c. Update the NS record. Replace the name of the Amazon Route 53 name servers with the names of your four white label name servers, for example, ns1.example.com, ns2.example.com, ns3.example.com, and ns4.example.com. Use the method provided by the registrar to create glue records and change the registrar's name servers: a. Add glue records: • If you're updating the domain that has the same domain name as the white label name servers – Create four glue records for which the name and IP address match the values that you got in step 4, for example: ns1.example.com – IP address = 192.0.2.117 Registrars use a variety of terminology for glue records. You might also see this referred as registering new name servers or something similar. • If you're updating another domain – Skip to step 7b. b. Change the name servers for the domain to the names of your white label name servers. If you're using Amazon Route 53 as your DNS service, see Adding or Changing Name Servers and Adding or Changing Glue Records (p. 22). 8. Monitor the traffic for the website or application for which you created glue records and changed name servers in the previous step: • If the traffic stops – Use the method provided by the registrar to change the name servers for the domain back to the previous Amazon Route 53 name servers. These are the name servers that you made note of in step 6b. Then determine what went wrong. • If the traffic is unaffected – Repeat steps 6 through 8 for the rest of the hosted zones for which you want to use the same white label name servers. 9. For all of the hosted zones that are now using white label name servers, change the following values: • Change the TTL for the NS record for the hosted zone to a more typical value for NS records, for example, 172800 seconds (two days). This will reduce the number of DNS queries that DNS resolvers forward to Amazon Route 53, which will reduce your Amazon Route 53 bill. API Version 2013-04-01 168 Amazon Route 53 Developer Guide NS and SOA Resource Record Sets that Amazon Route 53 Creates for a Public Hosted Zone • Change the minimum TTL for the SOA record for the hosted zone to a more typical value for SOA records, for example, 86400 seconds (one day). This is the last value in the SOA record. 10. Optional If you're using Amazon Route 53 geolocation routing, contact the recursive DNS services that support the edns-client-subnet extension of EDNS0, and give them the names of your white label name servers. This ensures that these DNS services will continue to route DNS queries to the optimal Amazon Route 53 location based on the approximate geographical location that the request came from. For a list of the recursive DNS services that support edns-client-subnet, see A Faster Internet: Participants. For more information about how edns-client-subnet works, see A Faster Internet: How It Works. NS and SOA Resource Record Sets that Amazon Route 53 Creates for a Public Hosted Zone For each public hosted zone that you create, Amazon Route 53 automatically creates a name server (NS) resource record set and a start of authority (SOA) resource record set. Don't change these records. Topics • The Name Server (NS) Resource Record Set (p. 169) • The Start of Authority (SOA) Resource Record Set (p. 170) The Name Server (NS) Resource Record Set Amazon Route 53 automatically creates a name server (NS) resource record set that has the same name as your hosted zone. It lists the four name servers that are the authoritative name servers for your hosted zone. Do not add, change, or delete name servers in this resource record set. The following examples show the format for the names of Amazon Route 53 name servers (these are examples only; don't use them when you're updating your registrar's name server records): • ns-2048.awsdns-64.com • ns-2049.awsdns-65.net • ns-2050.awsdns-66.org • ns-2051.awsdns-67.co.uk To get the list of name servers for your hosted zone: 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, click Hosted Zones. 3. 4. On the Hosted Zones page, choose the radio button (not the name) for the hosted zone. In the right pane, make note of the four servers listed for Name Servers. Alternatively, you can use the GetHostedZone action. For more information, see GetHostedZone in the Amazon Route 53 API Reference. After you create a hosted zone, update your registrar's or your DNS service's name server records, as applicable, to refer to the Amazon Route 53 name servers: API Version 2013-04-01 169 Amazon Route 53 Developer Guide The Start of Authority (SOA) Resource Record Set • If you migrated an existing domain to Amazon Route 53, see Updating Your Registrar's Name Servers (p. 143). • If you created a subdomain that uses Amazon Route 53 without migrating the parent domain, see Updating Your DNS Service with Name Server Records for the Subdomain (p. 146). • If you migrated a subdomain to Amazon Route 53 without migrating the parent domain, see Updating Your DNS Service with Name Server Records for the Subdomain (p. 149). Note Some registrars only allow you to specify name servers using IP addresses; they don't allow you to specify fully qualified domain names. If your registrar requires that you use IP addresses, you can get the IP addresses for your name servers using the dig utility (for Mac, Unix, or Linux) or the nslookup utility (for Windows). We rarely change the IP addresses of name servers; if we need to change IP addresses, we'll notify you in advance. The Start of Authority (SOA) Resource Record Set The start of authority (SOA) resource record set identifies the base DNS information about the domain, for example: ns-2048.awsdns-64.net. hostmaster.example.com. 1 7200 900 1209600 86400 The elements of the SOA record include: • The host that created the SOA record, for example, ns-2048.awsdns-64.net. • The email address of the administrator in a format with the @ symbol replaced by a period, for example, hostmaster.example.com.The default value is an amazon.com email address that is not monitored. • A revision number to increment when you change the zone file and distribute changes to secondary DNS servers, for example 1. • A refresh time in seconds that secondary DNS servers wait before querying the primary DNS server's SOA record to check for changes, for example 7200. • The retry interval in seconds that a secondary server waits before retrying a failed zone transfer, for example 900 (15 minutes). Normally, the retry time is less than the refresh time. • The expire time in seconds that a secondary server will keep trying to complete a zone transfer, for example 1209600 (two weeks). If this time expires prior to a successful zone transfer, the secondary server will expire its zone file. This means that the secondary server will stop answering queries because it considers its data too old to be reliable. • The minimum time to live (TTL). This value helps define the length of time that an NXDOMAIN result, which indicates that a domain does not exist, should be cached by a DNS resolver. Caching this negative result is referred to as negative caching. The duration of negative caching is the lesser of the SOA record's TTL or the value of the minimum TTL field. The default minimum TTL on Amazon Route 53 SOA records is 900 seconds. To change the TTL for resource record sets, including SOA resource record sets, you can use the Amazon Route 53 console. For more information, see Editing Resource Record Sets (p. 232). You can also use the ChangeResourceRecordSets API. For more information, see ChangeResourceRecordSets in the Amazon Route 53 API Reference. API Version 2013-04-01 170 Amazon Route 53 Developer Guide Working with Private Hosted Zones A private hosted zone is a container that holds information about how you want to route traffic for a domain and its subdomains within one or more Amazon Virtual Private Clouds (Amazon VPCs). To begin, you create a private hosted zone and specify the Amazon VPCs that you want to associate with the hosted zone. You then create resource record sets that determine how Amazon Route 53 responds to queries for your domain and subdomains within and among your Amazon VPCs. For example, if you have a web server associated with your domain, you'll create an A record in your hosted zone so browser queries for example.com are routed to your web server. For more information about resource record sets, see Working with Resource Record Sets (p. 178). For information about the Amazon VPC requirements for using private hosted zones, see Using Private Hosted Zones in the Amazon VPC User Guide. Note the following about using private hosted zones: Amazon VPC Settings To use private hosted zones, you must set the following Amazon VPC settings to true: • enableDnsHostnames • enableDnsSupport For more information, see Updating DNS Support for Your VPC in the Amazon VPC User Guide. Amazon Route 53 Health Checks In a private hosted zone, you can associate Amazon Route 53 health checks only with failover resource record sets. For more information, see Configuring Failover in a Private Hosted Zone (p. 270). Split-View DNS You can use Amazon Route 53 to configure split-view DNS, also known as split-horizon DNS. If you want to maintain internal and external versions of the same website or application (for example, for testing changes before you make them public), you can configure public and private hosted zones to return different internal and external IP addresses for the same domain name. Just create a public hosted zone and a private hosted zone that have the same domain name, and create the same subdomains in both hosted zones. Associating an Amazon VPC with More than One Private Hosted Zone You can associate a VPC with more than one private hosted zone, but the namespaces must not overlap. For example, you cannot associate a VPC with hosted zones for both example.com and acme.example.com because both namespaces end with example.com. Public and Private Hosted Zones that Have the Same Name When you have private and public hosted zones, the private hosted zone takes precedence over the public hosted zone when you're logged into an Amazon EC2 instance in an Amazon VPC that you have associated with the private hosted zone. For example, suppose that you have created public and private hosted zones for example.com, and you have created a www.example.com subdomain only for the public hosted zone. When you're logged into an Amazon EC2 instance in a VPC that is API Version 2013-04-01 171 Amazon Route 53 Developer Guide Creating a Private Hosted Zone associated with the example.com private hosted zone, you can't browse to www.example.com because it exists only in the public hosted zone. Delegating Responsibility for a Subdomain You cannot create NS records in a private hosted zone to delegate responsibility for a subdomain. Custom DNS Servers If you have configured custom DNS servers on Amazon EC2 instances in your VPC, you must configure those DNS servers to route your private DNS queries to the IP address of the Amazon-provided DNS servers for your VPC. This IP address is the IP address at the base of the VPC network range "plus two." For example, if the CIDR range for your VPC is 10.0.0.0/16, the IP address of the DNS server is 10.0.0.2. If you're using custom DNS servers that are outside of your VPC and you want to use private DNS, you must reconfigure to use custom DNS servers on Amazon EC2 instances within your VPC. For more information, see Amazon DNS Server in the Amazon VPC User Guide. If you have integrated your on-premises network with one or more Amazon VPC virtual networks and you want your on-premises network to resolve domain names in private hosted zones, you can create a Simple AD directory. Simple AD provides IP addresses that you can use to submit DNS queries from your on-premises network to your private hosted zone. For more information, see Getting Started with Simple AD in the AWS Directory Service Administration Guide. This topic explains how to use the Amazon Route 53 console to create, list, and delete private hosted zones. For information about using the Amazon Route 53 API to perform these operations, see Actions on Private Hosted Zones in the Amazon Route 53 API Reference. You can also use an Amazon Route 53 public hosted zone to route traffic for your domain on the Internet. For more information, see Working with Public Hosted Zones (p. 162). Topics • Creating a Private Hosted Zone (p. 172) • Listing Private Hosted Zones (p. 174) • Associating More Amazon VPCs with a Private Hosted Zone (p. 174) • Associating Amazon VPCs and Private Hosted Zones That You Create with Different AWS Accounts (p. 175) • Disassociating Amazon VPCs from a Private Hosted Zone (p. 176) • Deleting a Private Hosted Zone (p. 177) Creating a Private Hosted Zone A private hosted zone is a container for resource record sets for a specified domain that you host in one or more Amazon Virtual Private Clouds (Amazon VPCs). You create a hosted zone for a domain (such as example.com), and then you create resource record sets to tell Amazon Route 53 how you want traffic to be routed for that domain within and among your Amazon VPCs. For information about creating a private hosted zone by using the Amazon Route 53 API, see POST CreateHostedZone (Private) in the Amazon Route 53 API Reference. To create a private hosted zone 1. If you want to use different accounts to create the hosted zone and the associated Amazon VPCs, we need to update account permissions for you. Perform the procedure in Associating Amazon VPCs and Private Hosted Zones That You Create with Different AWS Accounts (p. 175). API Version 2013-04-01 172 Amazon Route 53 Developer Guide Creating a Private Hosted Zone 2. When the AWS customer support team contacts you to tell you that permissions for the hosted zone have been updated, continue with the rest of this procedure. For each Amazon VPC that you want to associate with the Amazon Route 53 hosted zone, change the following Amazon VPC settings to true: • enableDnsHostnames • enableDnsSupport For more information, see Updating DNS Support for Your VPC in the Amazon VPC User Guide. 3. 5. If you're using an account to create the hosted zone that is different from the account that you used to create the VPCs that you're associating with the hosted zone, get the VPC IDs and the corresponding regions. For more information, see To get the VPC ID and region for a VPC that is associated with another AWS account (p. 173). Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. If you're new to Amazon Route 53, choose Get Started Now under DNS Management. 6. 7. If you're already using Amazon Route 53, choose Hosted Zones in the navigation pane. Choose Create Hosted Zone. In the Create Private Hosted Zone pane, enter a domain name and, optionally, a comment. 8. 9. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). In the Type list, choose Private Hosted Zone for Amazon VPC. In the VPC ID list, choose the Amazon VPC that you want to associate with the hosted zone. 4. If you want to associate a VPC that you created by using a different account, the VPC won't appear in the list. Type the VPC ID and region in the following format: VPC ID | region-name In this format, region-name is the applicable value in the Region column in the Amazon VPC table in AWS Regions and Endpoints. If you want to associate more than one VPC with the hosted zone, you can add VPCs after you create the hosted zone. For more information, see Associating More Amazon VPCs with a Private Hosted Zone (p. 174). 10. Choose Create. To get the VPC ID and region for a VPC that is associated with another AWS account 1. 2. Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc/. In the navigation pane, choose Your VPCs. 3. In the region selector at the upper right of the console, choose the region that you created the VPC in. 4. 5. In the VPC ID column, get the ID of the VPC that you want to associate with the hosted zone. If you want to associate multiple VPCs with the hosted zone and you created the VPCs by using an account that is different from the account that you'll use to create the hosted zone, repeat steps 3 and 4 to get the ID and region for each VPC. API Version 2013-04-01 173 Amazon Route 53 Developer Guide Listing Private Hosted Zones Listing Private Hosted Zones You can use the Amazon Route 53 console to list all of the hosted zones that you created with the current AWS account. For information about how to list hosted zones using the Amazon Route 53 API, see GET ListHostedZones (Public and Private) in the Amazon Route 53 API Reference. To list the hosted zones associated with an AWS account using the Amazon Route 53 console 1. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. 2. In the navigation pane, choose Hosted Zones. The Hosted Zones page automatically displays a list of all of the hosted zones that were created using the current AWS account. The Type column indicates whether a hosted zone is private or public. Choose the column heading to group all private hosted zones and all public hosted zones. Associating More Amazon VPCs with a Private Hosted Zone You can use the Amazon Route 53 console to associate more Amazon VPCs with a private hosted zone. For information about how to associate more Amazon VPCs with a private hosted zone using the Amazon Route 53 API, see POST AssociateVPCWithHostedZone in the Amazon Route 53 API Reference. To associated additional Amazon VPCs with a private hosted zone using the Amazon Route 53 console 1. 2. 3. 4. 5. 6. If you used different accounts to create the hosted zone and the Amazon VPCs that you're associating with the hosted zone, we need to update account permissions for you. Perform the procedure in Associating Amazon VPCs and Private Hosted Zones That You Create with Different AWS Accounts (p. 175) if you haven't already. When the AWS customer support team contacts you to tell you that permissions for the hosted zone have been updated, continue with the rest of this procedure. If you used different accounts to create the hosted zone and the Amazon VPCs that you're associating with the hosted zone, get the VPC IDs and the corresponding regions. For more information, see To get the VPC ID and region for a VPC that is associated with another AWS account (p. 175). Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Hosted Zones. Select the radio button for the private hosted zone that you want to associate additional Amazon VPCs with. In the right pane, in VPC ID, choose the ID of the VPC that you want to associate with this hosted zone. If you want to associate a VPC that you created by using a different account, the VPC won't appear in the list. Type the VPC ID and region in the following format: VPC ID | region-name In this format, region-name is the applicable value in the Region column in the Amazon VPC table in AWS Regions and Endpoints. API Version 2013-04-01 174 Amazon Route 53 Developer Guide Associating Amazon VPCs and Private Hosted Zones That You Create with Different AWS Accounts 7. 8. Choose Associate New VPC. If you want to associate additional VPCs with this hosted zone, repeat steps 6 and 7. To get the VPC ID and region for a VPC that is associated with another AWS account 1. 2. 3. 4. 5. Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc/. In the navigation pane, choose Your VPCs. In the region selector at the upper right of the console, choose the region that you created the VPC in. In the VPC ID column, get the ID of the VPC that you want to associate with the hosted zone. If you want to associate multiple VPCs with the hosted zone and you created the VPCs by using an account that is different from the account that you'll use to create the hosted zone, repeat steps 3 and 4 to get the ID and region for each VPC. Associating Amazon VPCs and Private Hosted Zones That You Create with Different AWS Accounts If you want to perform either of the following tasks, contact the AWS Support Center first so we can update your permissions for you: • Create an Amazon Route 53 private hosted zone by using one AWS account and associate Amazon VPCs that you created by using one or more other AWS accounts with the new hosted zone • Associate an Amazon VPC that you created by using one AWS account with an existing Amazon Route 53 private hosted zone that you created by using another AWS account When the AWS customer support team contacts you to tell you that permissions for the hosted zone have been updated, you can create the private hosted zone or associate Amazon VPCs with the existing hosted zone. To associate Amazon VPCs and private hosted zones that were created by different AWS accounts 1. 2. Using the AWS account that you have already created a private hosted zone with or that you will create one with, sign in to the AWS Support Center. Specify the following values: Regarding Accept the default value of Account and Billing Support. Service Choose Account. Category Choose Other Account Issues. Subject Specify Associate an Amazon VPC with a hosted zone that was created by a different account. Description Provide the following information: API Version 2013-04-01 175 Amazon Route 53 Developer Guide Disassociating Amazon VPCs from a Private Hosted Zone • The hosted zone ID of the hosted zone that you want to want to associate the Amazon VPC with • The AWS account IDs for all of the accounts that created the Amazon VPCs that you want to associate with the Amazon Route 53 hosted zone • The VPC IDs and their regions Contact method Specify a contact method and, if you choose Phone, enter the applicable values. 3. 4. Choose Submit. The AWS customer support team works with the Amazon Route 53 team to update the permissions for the AWS account that created the existing hosted zone or that you want to use to create a new hosted zone. When permissions for the hosted zone have been updated, the AWS customer support team contacts you by using the contact method that you specified when you opened the case. Use the Amazon Route 53 console, one of the AWS SDKs, the AWS CLI, or the Amazon Route 53 API to associate Amazon VPCs with your hosted zones. You can either associate VPCs with an existing private hosted zone or create a new hosted zone and associate VPCs at the same time. For more information, see the applicable documentation: • Amazon Route 53 console – See Creating a Private Hosted Zone (p. 172) or Associating More Amazon VPCs with a Private Hosted Zone (p. 174) • SDK documentation – See the AWS Documentation page • AWS CLI documentation – See the AWS Command Line Interface Reference • Amazon Route 53 API – See Actions on Private Hosted Zones in the Amazon Route 53 API Reference Disassociating Amazon VPCs from a Private Hosted Zone You can use the Amazon Route 53 console to disassociate Amazon VPCs from a private hosted zone. For information about how to disassociate Amazon VPCs from a private hosted zone using the Amazon Route 53 API, see POST DisassociateVPCFromHostedZone in the Amazon Route 53 API Reference. To disassociated Amazon VPCs from a private hosted zone using the Amazon Route 53 console 1. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. 2. 3. 4. In the navigation pane, choose Hosted Zones. Select the private hosted zone from which you want to disassociate one or more Amazon VPCs. In the right pane, choose the x icon next to the VPC that you want to disassociate from this hosted zone. Choose Disassociate to confirm. 5. API Version 2013-04-01 176 Amazon Route 53 Developer Guide Deleting a Private Hosted Zone Deleting a Private Hosted Zone The following procedure explains how to delete a private hosted zone using the Amazon Route 53 console. For information about how to delete a private hosted zone using the Amazon Route 53 API, see DELETE DeleteHostedZone (Private) in the Amazon Route 53 API Reference. You can delete a private hosted zone only if there are no resource record sets other than the default SOA and NS records. If your hosted zone contains other resource record sets, you must delete them before you can delete your hosted zone. This prevents you from accidentally deleting a hosted zone that still contains resource record sets. To delete a private hosted zone using the Amazon Route 53 console 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. Confirm that the hosted zone that you want to delete contains only an NS and an SOA resource record set. If it contains additional resource record sets, delete them: a. b. c. 3. 4. 5. Choose the name of the hosted zone that you want to delete. On the Record Sets page, if the list of resource record sets includes any resource record sets for which the value of the Type column is something other than NS or SOA, choose the row, and choose Delete Record Set. To select multiple, consecutive resource record sets, choose the first row, press and hold the Shift key, and choose the last row. To select multiple, non-consecutive resource record sets, choose the first row, press and hold the Ctrl key, and choose the remaining rows. Choose Back to Hosted Zones. On the Hosted Zones page, choose the row for the hosted zone that you want to delete. Choose Delete Hosted Zone. Choose Confirm. API Version 2013-04-01 177 Amazon Route 53 Developer Guide Working with Resource Record Sets After you create a hosted zone for your domain, such as example.com, you create resource record sets to tell the Domain Name System (DNS) how you want traffic to be routed for that domain. For example, you might create resource record sets that cause DNS to do the following: • Route Internet traffic for example.com to the IP address of a host in your data center. • Route email for that domain (ichiro@example.com) to a mail server (mail.example.com). • Route traffic for a subdomain called operations.tokyo.example.com to the IP address of a different host. Each resource record set includes the name of a domain or a subdomain, a record type (for example, a resource record set with a type of MX routes email), and other information applicable to the record type (for MX records, the host name of one or more mail servers and a priority for each server). For information about the different types of resource records, see DNS Domain Name Format (p. 2). The name of each resource record set in a hosted zone must end with the name of the hosted zone. For example, the example.com hosted zone can contain resource record sets for www.example.com and accounting.tokyo.example.com subdomains, but cannot contain resource record sets for a www.example.ca subdomain. Note To create resource record sets for complex routing configurations, you can also use the traffic flow visual editor and save the configuration as a traffic policy. You can then associate the traffic policy with one or more domain names (such as example.com) or subdomain names (such as www.example.com), in the same hosted zone or in multiple hosted zones. In addition, you can roll back the updates if the new configuration isn't performing as you expected it to. For more information, see Using Traffic Flow to Route DNS Traffic (p. 234). Amazon Route 53 doesn't charge for the resource record sets that you add to a hosted zone. For information about limits on the number of resource record sets that you can create in a hosted zone, see Limits (p. 309). Topics • Choosing a Routing Policy (p. 179) • Choosing Between Alias and Non-Alias Resource Record Sets (p. 182) • Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184) API Version 2013-04-01 178 Amazon Route 53 Developer Guide Choosing a Routing Policy • Values that You Specify When You Create or Edit Amazon Route 53 Resource Record Sets (p. 186) • Creating Resource Record Sets By Importing a Zone File (p. 230) • Editing Resource Record Sets (p. 232) • Deleting Resource Record Sets (p. 232) • Listing Resource Record Sets (p. 233) Choosing a Routing Policy When you create a resource record set, you choose a routing policy, which determines how Amazon Route 53 responds to queries: Simple Routing Policy Use a simple routing policy when you have a single resource that performs a given function for your domain, for example, one web server that serves content for the example.com website. In this case, Amazon Route 53 responds to DNS queries based only on the values in the resource record set, for example, the IP address in an A record. Weighted Routing Policy Use the weighted routing policy when you have multiple resources that perform the same function (for example, web servers that serve the same website) and you want Amazon Route 53 to route traffic to those resources in proportions that you specify (for example, one quarter to one server and three quarters to the other). For more information about weighted resource record sets, see Weighted Routing (p. 179). Latency Routing Policy Use the latency routing policy when you have resources in multiple Amazon EC2 data centers that perform the same function and you want Amazon Route 53 to respond to DNS queries with the resources that provide the best latency. For example, you might have web servers for example.com in the Amazon EC2 data centers in Ireland and in Tokyo. When a user browses to example.com, Amazon Route 53 chooses to respond to the DNS query based on which data center gives your user the lowest latency. For more information about latency resource record sets, see Latency-Based Routing (p. 180). Failover Routing Policy (Public Hosted Zones Only) Use the failover routing policy when you want to configure active-passive failover, in which one resource takes all traffic when it's available and the other resource takes all traffic when the first resource isn't available. For more information about failover resource record sets, see Configuring Active-Passive Failover by Using Amazon Route 53 Failover and Failover Alias Resource Record Sets (p. 273). For information about creating failover resource record sets in a private hosted zone, see Configuring Failover in a Private Hosted Zone (p. 270). Geolocation Routing Policy Use the geolocation routing policy when you want Amazon Route 53 to respond to DNS queries based on the location of your users. For more information about geolocation resource record sets, see Geolocation Routing (p. 181). Weighted Routing Weighted resource record sets let you associate multiple resources with a single DNS name. This can be useful for a variety of purposes, including load balancing and testing new versions of software. To create a group of weighted resource record sets, you create two or more resource record sets that have the same combination of DNS name and type, and you assign each resource record set a unique identifier and a relative weight. When processing a DNS query, Amazon Route 53 searches for a resource record set or a group of resource record sets that have the specified name and type. For weighted resource record sets, Amazon API Version 2013-04-01 179 Amazon Route 53 Developer Guide Latency-Based Routing Route 53 selects one from the group. The probability of any one resource record set being selected depends on its weight as a proportion of the total weight for all resource record sets in the group: For example, suppose you create three resource record sets for www.example.com. The three A records have weights of 1, 1, and 3 (sum = 5). On average, Amazon Route 53 selects each of the first two resource record sets one-fifth of the time, and returns the third resource record set three-fifths of the time. Latency-Based Routing If your application is hosted on Amazon EC2 instances in multiple Amazon EC2 regions, you can reduce latency for your users by serving their requests from the Amazon EC2 region for which network latency is lowest. Amazon Route 53 latency-based routing lets you use DNS to route user requests to the Amazon EC2 region that will give your users the fastest response. To use latency-based routing, you create a latency resource record set for the Amazon EC2 resource in each region that hosts your application. When Amazon Route 53 receives a query for the corresponding domain, it selects the latency resource record set for the Amazon EC2 region that gives the user the lowest latency. Amazon Route 53 then responds with the value associated with that resource record set. For example, suppose you have ELB load balancers in the US West (Oregon) region and in the Asia Pacific (Singapore) region, and that you've created a latency resource record set in Amazon Route 53 for each load balancer. A user in London enters the name of your domain in a browser, and DNS routes the request to an Amazon Route 53 name server. Amazon Route 53 refers to its data on latency between London and the Singapore region and between London and the Oregon region. If latency is lower between London and the Oregon region, Amazon Route 53 responds to the user's request with the IP address of your load balancer in the Amazon EC2 data center in Oregon. If latency is lower between London and the Singapore region, Amazon Route 53 responds with the IP address of your load balancer in the Amazon EC2 data center in Singapore. Latency between hosts on the Internet can change over time as a result of changes in network connectivity and routing. Latency-based routing is based on latency measurements performed over a period of time, and the measurements reflect these changes. For example, if you have load balancers in the Oregon API Version 2013-04-01 180 Amazon Route 53 Developer Guide Geolocation Routing and Singapore Amazon EC2 regions, a request that is routed to the Oregon region this week might be routed to the Singapore region next week if latency from the user to the Singapore region improves. You can create latency resource record sets for the following: • Amazon EC2 instances, with or without Elastic IP addresses. • ELB load balancers, which balance traffic for Amazon EC2 instances. You can create latency resource record sets using any record type that Amazon Route 53 supports except NS or SOA. For information about supported record types, see Supported DNS Resource Record Types (p. 4). To create latency resource record sets, perform the following steps: 1. Create the AWS resources for your application: • If you want to use ELB load balancers, create one or more load balancers in each Amazon EC2 region in which you want to run your application. For more information, see Managing Load Balancers in the Elastic Load Balancing Developer Guide. The name you specify when you create a load balancer is the name you'll use when you create a latency resource record set in Amazon Route 53. • If you want to use Amazon EC2 instances, launch one or more Amazon EC2 instances in each Amazon EC2 region in which you want to run your application. For more information, see Amazon EC2 Getting Started Guide. Note We recommend that you assign Elastic IP addresses to your Amazon EC2 instances to ensure that the IP addresses don't change. 2. Create an Amazon Route 53 hosted zone (p. 162). 3. Create latency resource record sets in your hosted zone. For information about how to create resource record sets using the Amazon Route 53 console, see Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184). For information about how to create latency resource record sets using the Amazon Route 53 API, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. Geolocation Routing Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location from which DNS queries originate. For example, you might want all queries from Africa to be routed to a web server with an IP address of 192.0.2.111. When you use geolocation routing, you can localize your content and present some or all of your website in the language of your users. You can also use geolocation routing to restrict distribution of content to only the locations in which you have distribution rights. Another possible use is for balancing load across endpoints in a predictable, easy-to-manage way, so that each user location is consistently routed to the same endpoint. You can specify geographic locations by continent, by country, or by state in the United States. If you create separate resource record sets for overlapping geographic regions—for example, one resource record set for a continent and one for a country on the same continent—priority goes to the smallest geographic region. This allows you to route some queries for a continent to one resource and to route queries for selected countries on that continent to a different resource. (For a list of the countries on each continent, see Location (p. 221).) Geolocation works by mapping IP addresses to locations. However, some IP addresses aren't mapped to geographic locations, so even if you create geolocation resource record sets that cover all seven API Version 2013-04-01 181 Amazon Route 53 Developer Guide Choosing Between Alias and Non-Alias Resource Record Sets continents, Amazon Route 53 will receive some DNS queries from locations that it can't identify. You can create a default resource record set that handles both queries from IP addresses that aren't mapped to any location and queries that come from locations for which you haven't created geolocation resource record sets. If you don't create a default resource record set, Amazon Route 53 returns a "no answer" response for queries from those locations. You cannot create two geolocation resource record sets that specify the same geographic location. You also cannot create geolocation resource record sets that have the same values for Name and Type as the Name and Type of non-geolocation resource record sets. To improve the accuracy of geolocation routing, Amazon Route 53 supports the edns-client-subnet extension of EDNS0. (EDNS0 adds several optional extensions to the DNS protocol.) Amazon Route 53 can use edns-client-subnet only when DNS resolvers support it: • When a browser or other viewer uses a DNS resolver that does not support edns-client-subnet, Amazon Route 53 uses the source IP address of the DNS resolver to approximate the location of the user and responds to geolocation queries with the DNS record for the resolver's location. • When a browser or other viewer uses a DNS resolver that does support edns-client-subnet, the DNS resolver sends Amazon Route 53 a truncated version of the user's IP address. Amazon Route 53 determines the location of the user based on the truncated IP address rather than the source IP address of the DNS resolver; this typically provides a more accurate estimate of the user's location. Amazon Route 53 then responds to geolocation queries with the DNS record for the user's location. For more information about edns-client-subnet, see the IETF draft Client Subnet in DNS Requests. Choosing Between Alias and Non-Alias Resource Record Sets While ordinary Amazon Route 53 resource record sets are standard DNS resource record sets, alias resource record sets provide an Amazon Route 53–specific extension to DNS functionality. Instead of an IP address or a domain name, an alias resource record set contains a pointer to a CloudFront distribution, an Elastic Beanstalk environment, an ELB load balancer, an Amazon S3 bucket that is configured as a static website, or another Amazon Route 53 resource record set in the same hosted zone. When Amazon Route 53 receives a DNS query that matches the name and type in an alias resource record set, Amazon Route 53 follows the pointer and responds with the applicable value: • An alternate domain name for a CloudFront distribution – Amazon Route 53 responds as if the query had asked for the CloudFront distribution by using the CloudFront domain name, such as d111111abcdef8.cloudfront.net. Note You can't create alias resource record sets for CloudFront distributions in a private hosted zone. • An Elastic Beanstalk environment – Amazon Route 53 responds to each request with one or more IP addresses for the environment. • An ELB load balancer – Amazon Route 53 responds to each request with one or more IP addresses for the load balancer. • An Amazon S3 bucket that is configured as a static website – Amazon Route 53 responds to each request with one IP address for the Amazon S3 bucket. • Another Amazon Route 53 resource record set in the same hosted zone – Amazon Route 53 responds as if the query had asked for the resource record set that is referenced by the pointer. API Version 2013-04-01 182 Amazon Route 53 Developer Guide Choosing Between Alias and Non-Alias Resource Record Sets If an alias resource record set points to a CloudFront distribution, an Elastic Beanstalk environment, an ELB load balancer, or an Amazon S3 bucket, you cannot set the time to live (TTL); Amazon Route 53 uses the CloudFront, Elastic Beanstalk, Elastic Load Balancing, or Amazon S3 TTLs. If an alias resource record set points to another resource record set in the same hosted zone, Amazon Route 53 uses the TTL of the resource record set that the alias resource record set points to. For more information about the current TTL value for Elastic Load Balancing, go to Request Routing in the Elastic Load Balancing Developer Guide and search for "ttl". Alias resource record sets can save you time because Amazon Route 53 automatically recognizes changes in the resource record sets that the alias resource record set refers to. For example, suppose an alias resource record set for example.com points to an ELB load balancer at lb1-1234.us-east-1.elb.amazonaws.com. If the IP address of the load balancer changes, Amazon Route 53 will automatically reflect those changes in DNS answers for example.com without any changes to the hosted zone that contains resource record sets for example.com. Note You can't create alias resource record sets for CloudFront distributions in a private hosted zone. For information about creating resource record sets by using the Amazon Route 53 console, see Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184). For information about the values that you specify for alias resource record sets, see the applicable topic in Values that You Specify When You Create or Edit Amazon Route 53 Resource Record Sets (p. 186): • • • • • Values for Alias Resource Record Sets (p. 192) Values for Weighted Alias Resource Record Sets (p. 196) Values for Latency Alias Resource Record Sets (p. 206) Values for Failover Alias Resource Record Sets (p. 215) Values for Geolocation Alias Resource Record Sets (p. 224) Alias resource records sets are similar to CNAME records, but there are some important differences: CNAME Records Alias Records Amazon Route 53 charges for CNAME queries. Amazon Route 53 doesn't charge for alias queries to CloudFront distributions, Elastic Beanstalk environments, ELB load balancers, or Amazon S3 buckets. For more information, see Amazon Route 53 Pricing. You cannot create a CNAME record at the top node You can create an alias resource record set at the of a DNS namespace, also known as the zone zone apex. apex. For example, if you register the DNS name example.com, the zone apex is example.com. A CNAME record redirects queries for a domain name regardless of record type. Amazon Route 53 follows the pointer in an alias resource record set only when the record type also matches. API Version 2013-04-01 183 Amazon Route 53 Developer Guide Creating Resource Record Sets by Using the Amazon Route 53 Console CNAME Records Alias Records A CNAME record can point to any DNS record hosted anywhere, including to the resource record set that Amazon Route 53 automatically creates when you create a policy record. For more information, see Using Traffic Flow to Route DNS Traffic (p. 234). An alias resource record set can only point to a CloudFront distribution, an Elastic Beanstalk environment, an ELB load balancer, an Amazon S3 bucket that is configured as a static website, or another resource record set in the same Amazon Route 53 hosted zone in which you're creating the alias resource record set. However, you can't create an alias that points to the resource record set that Amazon Route 53 creates when you create a policy record. A CNAME record is visible in the answer section of a reply from an Amazon Route 53 DNS server. An alias resource record set is only visible in the Amazon Route 53 console or the Amazon Route 53 API. A CNAME record is followed by a recursive resolv- An alias resource record set is only followed inside er. Amazon Route 53. This means that both the alias resource record set and its target must exist in Amazon Route 53. Creating Resource Record Sets by Using the Amazon Route 53 Console The following procedure explains how to create resource record sets using the Amazon Route 53 console. For information about how to create resource record sets using the Amazon Route 53 API, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. Note To create resource record sets for complex routing configurations, you can also use the traffic flow visual editor and save the configuration as a traffic policy. You can then associate the traffic policy with one or more domain names (such as example.com) or subdomain names (such as www.example.com), in the same hosted zone or in multiple hosted zones. In addition, you can roll back the updates if the new configuration isn't performing as you expected it to. For more information, see Using Traffic Flow to Route DNS Traffic (p. 234). To create a resource record set using the Amazon Route 53 console 1. If you're not creating an alias resource record set, go to step 2. Also go to step 2 if you're creating an alias resource record set that routes DNS traffic to a CloudFront distribution, an Elastic Beanstalk environment, an Amazon S3 bucket, or another Amazon Route 53 resource record set. 2. 3. If you're creating an alias resource record set that routes traffic to an Elastic Load Balancing load balancer, and if you created your Amazon Route 53 hosted zone and your load balancer using different accounts, perform the procedure Getting the DNS Name for an ELB Load Balancer (p. 185) to get the DNS name for the load balancer. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. If you already have a hosted zone for your domain, skip to step 4. If you don't, perform the following steps: a. Click Create Hosted Zone. API Version 2013-04-01 184 Amazon Route 53 Developer Guide Creating Resource Record Sets by Using the Amazon Route 53 Console 4. 5. 6. b. c. For Domain Name, enter the name of your domain. Optional: For Comment, enter a comment about the hosted zone. d. Click Create. On the Hosted Zones page, choose the name of the hosted zone in which you want to create resource record sets. Click Create Record Set. Enter the applicable values. For more information, see the topic for the kind of resource record set that you want to create: • Values for Basic Resource Record Sets (p. 186) • Values for Weighted Resource Record Sets (p. 189) • Values for Alias Resource Record Sets (p. 192) • • • • • • • 7. Values for Weighted Alias Resource Record Sets (p. 196) Values for Latency Resource Record Sets (p. 202) Values for Latency Alias Resource Record Sets (p. 206) Values for Failover Resource Record Sets (p. 212) Values for Failover Alias Resource Record Sets (p. 215) Values for Geolocation Resource Record Sets (p. 220) Values for Geolocation Alias Resource Record Sets (p. 224) Click Create. Note Your new resource record sets take time to propagate to the Amazon Route 53 DNS servers. Currently, the only way to verify that changes have propagated is to use the GetChange API action. Changes generally propagate to all Amazon Route 53 name servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. 8. If you're creating multiple resource record sets, repeat steps 5 through 7. Getting the DNS Name for an ELB Load Balancer 1. 2. 3. 4. 5. Sign in to the AWS Management Console using the AWS account that was used to create the load balancer for which you want to create an alias resource record set. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. In the navigation pane, click Load Balancers. In the list of load balancers, select the load balancer for which you want to create an alias resource record set. On the Description tab, get the DNS name that is labeled A or AAAA Record. This domain name begins with dualstack. 6. 7. If you want to create alias resource record sets for other ELB load balancers, repeat steps 4 and 5. Sign out of the AWS Management Console. 8. Sign in to the AWS Management Console again using the AWS account that you used to create the Amazon Route 53 hosted zone. Return to step 3 of the procedure Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184). 9. API Version 2013-04-01 185 Amazon Route 53 Developer Guide Values that You Specify When You Create or Edit Amazon Route 53 Resource Record Sets Values that You Specify When You Create or Edit Amazon Route 53 Resource Record Sets When you create resource record sets using the Amazon Route 53 console, the values that you specify depend on the routing policy that you want to use and on whether you're creating alias resource record sets, which route traffic to AWS resources. Topics • Values for Basic Resource Record Sets (p. 186) • Values for Weighted Resource Record Sets (p. 189) • Values for Alias Resource Record Sets (p. 192) • Values for Weighted Alias Resource Record Sets (p. 196) • Values for Latency Resource Record Sets (p. 202) • Values for Latency Alias Resource Record Sets (p. 206) • • • • Values for Failover Resource Record Sets (p. 212) Values for Failover Alias Resource Record Sets (p. 215) Values for Geolocation Resource Record Sets (p. 220) Values for Geolocation Alias Resource Record Sets (p. 224) Values for Basic Resource Record Sets When you create basic resource record sets, you specify the following values: Topics • Name (p. 186) • Type (p. 187) • Alias (p. 187) • TTL (Time to Live) (p. 187) • Value (p. 187) • Routing Policy (p. 188) Name Enter the name of the domain or subdomain for which you're creating the resource record set. The default value is the name of the hosted zone. If you're creating a resource record set that has the same name as the hosted zone, don't enter a value (for example, an @ symbol) in the Name field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). You can use an asterisk (*) character in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. For more information, see Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3). Important You can't use the * wildcard for resource records sets that have a type of NS. API Version 2013-04-01 186 Amazon Route 53 Developer Guide Values for Basic Resource Record Sets Type The DNS record type. For more information, see Supported DNS Resource Record Types (p. 4). Select the value for Type based on how you want Amazon Route 53 to respond to DNS queries. Alias Select No. TTL (Time to Live) The amount of time, in seconds, that you want DNS recursive resolvers to cache information about this resource record set. If you specify a longer value (for example, 172800 seconds, or two days), you pay less for Amazon Route 53 service because recursive resolvers send requests to Amazon Route 53 less often. However, it takes longer for changes to the resource record set (for example, a new IP address) to take effect because recursive resolvers use the values in their cache for longer periods instead of asking Amazon Route 53 for the latest information. If you're associating this resource record set with a health check, we recommend that you specify a TTL of 60 seconds or less so clients respond quickly to changes in health status. Value Enter a value that is appropriate for the value of Type. For all types except CNAME, you can enter more than one value. Enter each value on a separate line. A — IPv4 address An IP address in IPv4 format, for example, 192.0.2.235. AAAA — IPv6 address An IP address in IPv6 format, for example, 2001:0db8:85a3:0:0:8a2e:0370:7334. CNAME — Canonical name The fully qualified domain name (for example, www.example.com) that you want Amazon Route 53 to return in response to DNS queries for this resource record set. A trailing dot is optional; Amazon Route 53 assumes that the domain name is fully qualified. This means that Amazon Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical. MX — Mail exchange A priority and a domain name that specifies a mail server, for example, 10 mailserver.example.com. NS — Name server The domain name of a name server, for example, ns1.example.com. PTR — Pointer The domain name that you want Amazon Route 53 to return. SOA — Start of Authority Basic DNS information about the domain. For more information, see The Start of Authority (SOA) Resource Record Set (p. 170). SPF — Sender Policy Framework An SPF record enclosed in quotation marks, for example, "v=spf1 ip4:192.168.0.1/16-all". SPF records are not recommended. For more information, see Supported DNS Resource Record Types (p. 4). SRV — Service locator An SRV record. For information about SRV record format, refer to the applicable documentation. The format of an SRV record is: [priority] [weight] [port] [server host name] API Version 2013-04-01 187 Amazon Route 53 Developer Guide Values for Basic Resource Record Sets For example: 1 10 5269 xmpp-server.example.com. TXT — Text A text record. Enclose text in quotation marks, for example, "Sample Text Entry". Routing Policy Select Simple. API Version 2013-04-01 188 Amazon Route 53 Developer Guide Values for Weighted Resource Record Sets Values for Weighted Resource Record Sets When you create weighted resource record sets, you specify the following values: Topics • Name (p. 189) • Type (p. 189) • Alias (p. 189) • TTL (Time to Live) (p. 189) • Value (p. 190) • Routing Policy (p. 190) • Weight (p. 190) • Set ID (p. 191) • Associate with Health Check/Health Check to Associate (p. 191) Name Enter the name of the domain or subdomain for which you're creating the resource record set. The default value is the name of the hosted zone. If you're creating a resource record set that has the same name as the hosted zone, don't enter a value (for example, an @ symbol) in the Name field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Enter the same name for all of the resource record sets in the group of weighted resource record sets. You can use an asterisk (*) character in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. For more information, see Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3). Type The DNS record type. For more information, see Supported DNS Resource Record Types (p. 4). Select the same value for all of the resource record sets in the group of weighted resource record sets. Alias Select No. TTL (Time to Live) The amount of time, in seconds, that you want DNS recursive resolvers to cache information about this resource record set. If you specify a longer value (for example, 172800 seconds, or two days), you pay less for Amazon Route 53 service because recursive resolvers send requests to Amazon Route 53 less often. However, it takes longer for changes to the resource record set (for example, a new IP address) to take effect because recursive resolvers use the values in their cache for longer periods instead of asking Amazon Route 53 for the latest information. If you're associating this resource record set with a health check, we recommend that you specify a TTL of 60 seconds or less so clients respond quickly to changes in health status. You must specify the same value for TTL for all of the resource record sets in this group of weighted resource record sets. API Version 2013-04-01 189 Amazon Route 53 Developer Guide Values for Weighted Resource Record Sets If a group of weighted resource record sets includes one or more weighted alias resource record sets for which the alias target is an ELB load balancer, we recommend that you specify a TTL of 60 seconds for all of the non-alias weighted resource record sets that have the same name and type. Values other than 60 seconds (the TTL for load balancers) will change the effect of the values that you specify for Weight. Value Enter a value that is appropriate for the value of Type. For all types except CNAME, you can enter more than one value. Enter each value on a separate line. A — IPv4 address An IP address in IPv4 format, for example, 192.0.2.235. AAAA — IPv6 address An IP address in IPv6 format, for example, 2001:0db8:85a3:0:0:8a2e:0370:7334. CNAME — Canonical name The fully qualified domain name (for example, www.example.com) that you want Amazon Route 53 to return in response to DNS queries for this resource record set. A trailing dot is optional; Amazon Route 53 assumes that the domain name is fully qualified. This means that Amazon Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical. MX — Mail exchange A priority and a domain name that specifies a mail server, for example, 10 mailserver.example.com. PTR — Pointer The domain name that you want Amazon Route 53 to return. SPF — Sender Policy Framework An SPF record enclosed in quotation marks, for example, "v=spf1 ip4:192.168.0.1/16-all". SPF records are not recommended. For more information, see Supported DNS Resource Record Types (p. 4). SRV — Service locator An SRV record. For information about SRV record format, refer to the applicable documentation. The format of an SRV record is: [priority] [weight] [port] [server host name] For example: 1 10 5269 xmpp-server.example.com. TXT — Text A text record. Enclose text in quotation marks, for example, "Sample Text Entry". Routing Policy Select Weighted. Weight A value that determines the proportion of DNS queries that Amazon Route 53 responds to using the current resource record set. Amazon Route 53 calculates the sum of the weights for the resource record sets that have the same combination of DNS name and type. Amazon Route 53 then responds to queries based on the ratio of a resource's weight to the total. You can't create non-weighted resource record sets that have the same values for Name and Type as weighted resource record sets. API Version 2013-04-01 190 Amazon Route 53 Developer Guide Values for Weighted Resource Record Sets Enter an integer between 0 and 255. To disable routing to a resource, set Weight to 0. If you set Weight to 0 for all of the resource record sets in the group, traffic is routed to all resources with equal probability. This ensures that you don't accidentally disable routing for a group of weighted resource record sets. The effect of setting Weight to 0 is different when you associate health checks with weighted resource record sets. For more information, see Configuring Active-Active or Active-Passive Failover by Using Amazon Route 53 Weighted and Weighted Alias Resource Record Sets (p. 271). Set ID Enter a value that uniquely identifies this resource record set in the group of weighted resource record sets. Associate with Health Check/Health Check to Associate Select Yes if you want Amazon Route 53 to check the health of a specified endpoint and to respond to DNS queries using this resource record set only when the endpoint is healthy. Then select the health check that you want Amazon Route 53 to perform for this resource record set. Amazon Route 53 doesn't check the health of the endpoint specified in the resource record set, for example, the endpoint specified by the IP address in the Value field. When you select a health check for a resource record set, Amazon Route 53 checks the health of the endpoint that you specified in the health check. For information about how Amazon Route 53 determines whether an endpoint is healthy, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). Associating a health check with a resource record set is useful only when Amazon Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Amazon Route 53 to base the choice in part on the status of a health check. Use health checks only in the following configurations: • You're checking the health of the resource record sets in a weighted, latency, geolocation, or failover resource record set, and you specify health check IDs for all of the resource record sets. If the health check for a resource record set specifies an endpoint that is not healthy, Amazon Route 53 stops responding to queries using the value for that resource record set. • You select Yes for Evaluate Target Health for the resource record sets in an alias, weighted alias, latency alias, geolocation alias, or failover alias resource record set, and you specify health checks for all of the resource record sets that are referenced by the alias resource record sets. For geolocation resource record sets, if an endpoint is unhealthy, Amazon Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the United States, for North America, and for all locations (Location is Default). If the endpoint for the state resource record set is unhealthy, Amazon Route 53 checks the resource record sets for the United States, for North America, and for all locations, in that order, until it finds a resource record set for which the endpoint is healthy. If your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each HTTP server that is serving content for www.example.com. For the value of Domain Name, specify the domain name of the server (such as us-east-1-www.example.com), not the name of the resource record sets (example.com). Important In this configuration, if you create a health check for which the value of Domain Name matches the name of the resource record sets and then associate the health check with those resource record sets, health check results will be unpredictable. For more information about checking the health of endpoints, see Amazon Route 53 Health Checks and DNS Failover (p. 245). API Version 2013-04-01 191 Amazon Route 53 Developer Guide Values for Alias Resource Record Sets Values for Alias Resource Record Sets When you create alias resource record sets, you specify the following values: Topics • Name (p. 192) • Type (p. 192) • Alias (p. 193) • Alias Target (p. 193) • Alias Hosted Zone ID (p. 195) • Routing Policy (p. 195) • Evaluate Target Health (p. 195) Name Enter the name of the domain or subdomain for which you're creating the resource record set. The default value is the name of the hosted zone. If you're creating a resource record set that has the same name as the hosted zone, don't enter a value (for example, an @ symbol) in the Name field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). You can use an asterisk (*) character in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. For more information, see Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3). The value that you specify depends in part on the AWS resource for which you're creating an alias resource record set: CloudFront Distributions Your CloudFront distribution must include an alternate domain name that matches the name of the resource record set. For example, if the name of the resource record set is acme.example.com, your CloudFront distribution must include acme.example.com as one of the alternate domain names. For more information, see Using Alternate Domain Names (CNAMEs) in the Amazon CloudFront Developer Guide. Amazon S3 Buckets The name of the resource record set must match the name of your Amazon S3 bucket. For example, if the name of your Amazon S3 bucket is acme.example.com, the name of this resource record set must also be acme.example.com. In addition, you must configure the bucket for website hosting. For more information, see Configure a Bucket for Website Hosting in the Amazon Simple Storage Service Developer Guide. Type The DNS record type. For more information, see Supported DNS Resource Record Types (p. 4). Select the applicable value based on the AWS resource for which you're creating a resource record set: CloudFront distribution Select A — IPv4 address Elastic Beanstalk environment that has regionalized subdomains Select A — IPv4 address API Version 2013-04-01 192 Amazon Route 53 Developer Guide Values for Alias Resource Record Sets ELB load balancer Select A — IPv4 address or AAAA — IPv6 address Amazon S3 bucket Select A — IPv4 address Another resource record set in this hosted zone Select the type of the resource record set for which you're creating the alias. Select any value except NS or SOA. Alias Select Yes. Alias Target The value that you specify depends on the AWS resource for which you're creating an alias resource record set. CloudFront Distributions Note You can't create alias resource record sets for CloudFront distributions in a private hosted zone. For CloudFront distributions, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your CloudFront distribution – Choose Alias Target and choose a distribution from the list. If you have a lot of distributions, you can type the first few characters of the domain name for your distribution to filter the list. If your distribution doesn't appear in the list, note the following: • The name of this resource record set must match an alternate domain name in your distribution. • If you just added an alternate domain name to your distribution, it may take 15 minutes for your changes to propagate to all CloudFront edge locations. Until changes have propagated, Amazon Route 53 can't know about the new alternate domain name. • If you used different accounts to create your Amazon Route 53 hosted zone and your distribution – Enter the CloudFront domain name for the distribution, such as d111111abcdef8.cloudfront.net. If you used one AWS account to create the current hosted zone and a different account to create a distribution, the distribution will not appear in the Alias Targets list. If you used one account to create the current hosted zone and one or more different accounts to create all of your distributions, the Alias Targets list shows No Targets Available under CloudFront Distributions. Important Do not route queries to a CloudFront distribution that has not propagated to all edge locations, or your users won't be able to access the applicable content. Your CloudFront distribution must include an alternate domain name that matches the name of the resource record set. For example, if the name of the resource record set is acme.example.com, your CloudFront distribution must include acme.example.com as one of the alternate domain names. For more information, see Using Alternate Domain Names (CNAMEs) in the Amazon CloudFront Developer Guide. Elastic Beanstalk environments that have regionalized subdomains For Elastic Beanstalk environments that have regionalized subdomains, do one of the following: API Version 2013-04-01 193 Amazon Route 53 Developer Guide Values for Alias Resource Record Sets • If you used the same account to create your Amazon Route 53 hosted zone and your Elastic Beanstalk environment – Choose Alias Target, and then choose an environment from the list. If you have a lot of environments, you can type the first few characters of the CNAME attribute for the environment to filter the list. • If you used different accounts to create your Amazon Route 53 hosted zone and your Elastic Beanstalk environment – Enter the CNAME attribute for the Elastic Beanstalk environment. ELB Load Balancers For ELB load balancers, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your load balancer – Choose Alias Target and choose a load balancer from the list. If you have a lot of load balancers, you can type the first few characters of the DNS name to filter the list. • If you used different accounts to create your Amazon Route 53 hosted zone and your load balancer – Enter the value that you got in the procedure Getting the DNS Name for an ELB Load Balancer (p. 185). If you used one AWS account to create the current hosted zone and a different account to create a load balancer, the load balancer will not appear in the Alias Targets list. If you used one account to create the current hosted zone and one or more different accounts to create all of your load balancers, the Alias Targets list shows No Targets Available under Elastic Load Balancers. In either case, the console prepends dualstack. to the DNS name. Amazon S3 Buckets For Amazon S3 buckets that are configured as website endpoints, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your Amazon S3 bucket – Choose Alias Target and choose a bucket from the list. If you have a lot of buckets, you can type the first few characters of the DNS name to filter the list. The value of Alias Target changes to the Amazon S3 website endpoint for your bucket. • If you used different accounts to create your Amazon Route 53 hosted zone and your Amazon S3 bucket – Enter the domain name of the Amazon S3 website endpoint in the following format: s3-website-region.amazonaws.com The region value represents the Amazon S3 region in which the bucket is hosted; for example, us-east-1. If you used one AWS account to create the current hosted zone and a different account to create an Amazon S3 bucket, the bucket will not appear in the Alias Targets list. If you used one account to create the current hosted zone and one or more different accounts to create all of your Amazon S3 buckets, the Alias Targets list shows No Targets Available under S3 Website Endpoints. In a group of weighted alias, latency alias, failover alias, or geolocation alias resource record sets, you can create only one resource record set that routes queries to an Amazon S3 bucket because the name of the resource record set must match the name of the bucket and bucket names must be globally unique. The name of the resource record set must match the name of your Amazon S3 bucket. For example, if the name of your Amazon S3 bucket is acme.example.com, the name of this resource record set must also be acme.example.com. You must configure the bucket for website hosting. For more information, see Configure a Bucket for Website Hosting in the Amazon Simple Storage Service Developer Guide. API Version 2013-04-01 194 Amazon Route 53 Developer Guide Values for Alias Resource Record Sets Resource Record Sets in this Hosted Zone For resource record sets in this hosted zone, choose Alias Target and choose the applicable resource record set. If you have a lot of resource record sets, you can type the first few characters of the name to filter the list. If the hosted zone contains only the default NS and SOA resource record sets, the Alias Targets list shows No Targets Available. Alias Hosted Zone ID This value appears automatically based on the value that you selected or entered for Alias Target. Routing Policy Select Simple. Evaluate Target Health Select Yes if you want Amazon Route 53 to determine whether to respond to DNS queries using this resource record set by checking the health of the resource record set specified by Alias Target. Some AWS resources have special requirements: • CloudFront distributions – You cannot set Evaluate Target Health to Yes when the alias target is a CloudFront distribution. • Elastic Beanstalk environments that have regionalized endpoints – If you specify an Elastic Beanstalk environment in Alias Target and the environment contains an ELB load balancer, Elastic Load Balancing routes queries only to the healthy Amazon EC2 instances that are registered with the load balancer. (An environment automatically contains an ELB load balancer if it includes more than one Amazon EC2 instance.) If you set Evaluate Target Health to Yes and either no Amazon EC2 instances are healthy or the load balancer itself is unhealthy, Amazon Route 53 routes queries to other available resources that are healthy, if any. If the environment contains a single Amazon EC2 instance, there are no special requirements. • ELB load balancers – If you specify an ELB load balancer in Alias Target, Elastic Load Balancing routes queries only to the healthy Amazon EC2 instances that are registered with the load balancer. If you set Evaluate Target Health to Yes and either no Amazon EC2 instances are healthy or the load balancer itself is unhealthy, Amazon Route 53 routes queries to other resources. When you create a load balancer, you configure settings for Elastic Load Balancing health checks; they're not Amazon Route 53 health checks, but they perform a similar function. Do not create Amazon Route 53 health checks for the Amazon EC2 instances that you register with an ELB load balancer. For more information, see How Health Checks Work in Complex Amazon Route 53 Configurations (p. 264). • Other resource record sets – If the AWS resource that you specify in Alias Target is a resource record set or a group of resource record sets (for example, a group of weighted resource record sets) but is not another alias resource record set, we recommend that you associate a health check with all of the resource record sets in the alias target. For more information, see What Happens When You Omit Health Checks? (p. 267). We recommend that you set Evaluate Target Health to Yes only when you have enough idle capacity to handle the failure of one or more endpoints. API Version 2013-04-01 195 Amazon Route 53 Developer Guide Values for Weighted Alias Resource Record Sets Values for Weighted Alias Resource Record Sets When you create weighted alias resource record sets, you specify the following values: Topics • Name (p. 196) • Type (p. 196) • Alias (p. 197) • Alias Target (p. 197) • Alias Hosted Zone ID (p. 199) • Routing Policy (p. 199) • Weight (p. 199) • Set ID (p. 199) • Evaluate Target Health (p. 199) • Associate with Health Check/Health Check to Associate (p. 200) Name Enter the name of the domain or subdomain for which you're creating the resource record set. The default value is the name of the hosted zone. If you're creating a resource record set that has the same name as the hosted zone, don't enter a value (for example, an @ symbol) in the Name field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Enter the same name for all of the resource record sets in the group of weighted resource record sets. You can use an asterisk (*) character in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. For more information, see Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3). The value that you specify depends in part on the AWS resource for which you're creating an alias resource record set: CloudFront Distributions Your CloudFront distribution must include an alternate domain name that matches the name of the resource record set. For example, if the name of the resource record set is acme.example.com, your CloudFront distribution must include acme.example.com as one of the alternate domain names. For more information, see Using Alternate Domain Names (CNAMEs) in the Amazon CloudFront Developer Guide. Amazon S3 Buckets The name of the resource record set must match the name of your Amazon S3 bucket. For example, if the name of your Amazon S3 bucket is acme.example.com, the name of this resource record set must also be acme.example.com. In addition, you must configure the bucket for website hosting. For more information, see Configure a Bucket for Website Hosting in the Amazon Simple Storage Service Developer Guide. Type The DNS record type. For more information, see Supported DNS Resource Record Types (p. 4). Select the applicable value based on the AWS resource for which you're creating a resource record set: API Version 2013-04-01 196 Amazon Route 53 Developer Guide Values for Weighted Alias Resource Record Sets CloudFront distribution Select A — IPv4 address Elastic Beanstalk environment that has regionalized subdomains Select A — IPv4 address ELB load balancer Select A — IPv4 address or AAAA — IPv6 address Amazon S3 bucket Select A — IPv4 address Another resource record set in this hosted zone Select the type of the resource record set for which you're creating the alias. Select any value except NS or SOA. Select the same value for all of the resource record sets in the group of weighted resource record sets. Alias Select Yes. Alias Target The value that you specify depends on the AWS resource for which you're creating an alias resource record set. CloudFront Distributions Note You can't create alias resource record sets for CloudFront distributions in a private hosted zone. For CloudFront distributions, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your CloudFront distribution – Choose Alias Target and choose a distribution from the list. If you have a lot of distributions, you can type the first few characters of the domain name for your distribution to filter the list. If your distribution doesn't appear in the list, note the following: • The name of this resource record set must match an alternate domain name in your distribution. • If you just added an alternate domain name to your distribution, it may take 15 minutes for your changes to propagate to all CloudFront edge locations. Until changes have propagated, Amazon Route 53 can't know about the new alternate domain name. • If you used different accounts to create your Amazon Route 53 hosted zone and your distribution – Enter the CloudFront domain name for the distribution, such as d111111abcdef8.cloudfront.net. If you used one AWS account to create the current hosted zone and a different account to create a distribution, the distribution will not appear in the Alias Targets list. If you used one account to create the current hosted zone and one or more different accounts to create all of your distributions, the Alias Targets list shows No Targets Available under CloudFront Distributions. Important Do not route queries to a CloudFront distribution that has not propagated to all edge locations, or your users won't be able to access the applicable content. API Version 2013-04-01 197 Amazon Route 53 Developer Guide Values for Weighted Alias Resource Record Sets Your CloudFront distribution must include an alternate domain name that matches the name of the resource record set. For example, if the name of the resource record set is acme.example.com, your CloudFront distribution must include acme.example.com as one of the alternate domain names. For more information, see Using Alternate Domain Names (CNAMEs) in the Amazon CloudFront Developer Guide. Elastic Beanstalk environments that have regionalized subdomains For Elastic Beanstalk environments that have regionalized subdomains, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your Elastic Beanstalk environment – Choose Alias Target, and then choose an environment from the list. If you have a lot of environments, you can type the first few characters of the CNAME attribute for the environment to filter the list. • If you used different accounts to create your Amazon Route 53 hosted zone and your Elastic Beanstalk environment – Enter the CNAME attribute for the Elastic Beanstalk environment. ELB Load Balancers For ELB load balancers, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your load balancer – Choose Alias Target and choose a load balancer from the list. If you have a lot of load balancers, you can type the first few characters of the DNS name to filter the list. • If you used different accounts to create your Amazon Route 53 hosted zone and your load balancer – Enter the value that you got in the procedure Getting the DNS Name for an ELB Load Balancer (p. 185). If you used one AWS account to create the current hosted zone and a different account to create a load balancer, the load balancer will not appear in the Alias Targets list. If you used one account to create the current hosted zone and one or more different accounts to create all of your load balancers, the Alias Targets list shows No Targets Available under Elastic Load Balancers. In either case, the console prepends dualstack. to the DNS name. Amazon S3 Buckets For Amazon S3 buckets that are configured as website endpoints, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your Amazon S3 bucket – Choose Alias Target and choose a bucket from the list. If you have a lot of buckets, you can type the first few characters of the DNS name to filter the list. The value of Alias Target changes to the Amazon S3 website endpoint for your bucket. • If you used different accounts to create your Amazon Route 53 hosted zone and your Amazon S3 bucket – Enter the domain name of the Amazon S3 website endpoint in the following format: s3-website-region.amazonaws.com The region value represents the Amazon S3 region in which the bucket is hosted; for example, us-east-1. If you used one AWS account to create the current hosted zone and a different account to create an Amazon S3 bucket, the bucket will not appear in the Alias Targets list. If you used one account to create the current hosted zone and one or more different accounts to create all of your Amazon S3 buckets, the Alias Targets list shows No Targets Available under S3 Website Endpoints. In a group of weighted alias, latency alias, failover alias, or geolocation alias resource record sets, you can create only one resource record set that routes queries to an Amazon S3 bucket because the name of the resource record set must match the name of the bucket and bucket names must be globally unique. API Version 2013-04-01 198 Amazon Route 53 Developer Guide Values for Weighted Alias Resource Record Sets The name of the resource record set must match the name of your Amazon S3 bucket. For example, if the name of your Amazon S3 bucket is acme.example.com, the name of this resource record set must also be acme.example.com. You must configure the bucket for website hosting. For more information, see Configure a Bucket for Website Hosting in the Amazon Simple Storage Service Developer Guide. Resource Record Sets in this Hosted Zone For resource record sets in this hosted zone, choose Alias Target and choose the applicable resource record set. If you have a lot of resource record sets, you can type the first few characters of the name to filter the list. If the hosted zone contains only the default NS and SOA resource record sets, the Alias Targets list shows No Targets Available. Alias Hosted Zone ID This value appears automatically based on the value that you selected or entered for Alias Target. Routing Policy Select Weighted. Weight A value that determines the proportion of DNS queries that Amazon Route 53 responds to using the current resource record set. Amazon Route 53 calculates the sum of the weights for the resource record sets that have the same combination of DNS name and type. Amazon Route 53 then responds to queries based on the ratio of a resource's weight to the total. You can't create non-weighted resource record sets that have the same values for Name and Type as weighted resource record sets. Enter an integer between 0 and 255. To disable routing to a resource, set Weight to 0. If you set Weight to 0 for all of the resource record sets in the group, traffic is routed to all resources with equal probability. This ensures that you don't accidentally disable routing for a group of weighted resource record sets. The effect of setting Weight to 0 is different when you associate health checks with weighted resource record sets. For more information, see Configuring Active-Active or Active-Passive Failover by Using Amazon Route 53 Weighted and Weighted Alias Resource Record Sets (p. 271). Set ID Enter a value that uniquely identifies this resource record set in the group of weighted resource record sets. Evaluate Target Health Select Yes if you want Amazon Route 53 to determine whether to respond to DNS queries using this resource record set by checking the health of the resource record set specified by Alias Target. Some AWS resources have special requirements: • CloudFront distributions – You cannot set Evaluate Target Health to Yes when the alias target is a CloudFront distribution. • Elastic Beanstalk environments that have regionalized endpoints – If you specify an Elastic Beanstalk environment in Alias Target and the environment contains an ELB load balancer, Elastic API Version 2013-04-01 199 Amazon Route 53 Developer Guide Values for Weighted Alias Resource Record Sets Load Balancing routes queries only to the healthy Amazon EC2 instances that are registered with the load balancer. (An environment automatically contains an ELB load balancer if it includes more than one Amazon EC2 instance.) If you set Evaluate Target Health to Yes and either no Amazon EC2 instances are healthy or the load balancer itself is unhealthy, Amazon Route 53 routes queries to other available resources that are healthy, if any. If the environment contains a single Amazon EC2 instance, there are no special requirements. • ELB load balancers – If you specify an ELB load balancer in Alias Target, Elastic Load Balancing routes queries only to the healthy Amazon EC2 instances that are registered with the load balancer. If you set Evaluate Target Health to Yes and either no Amazon EC2 instances are healthy or the load balancer itself is unhealthy, Amazon Route 53 routes queries to other resources. When you create a load balancer, you configure settings for Elastic Load Balancing health checks; they're not Amazon Route 53 health checks, but they perform a similar function. Do not create Amazon Route 53 health checks for the Amazon EC2 instances that you register with an ELB load balancer. For more information, see How Health Checks Work in Complex Amazon Route 53 Configurations (p. 264). • Other resource record sets – If the AWS resource that you specify in Alias Target is a resource record set or a group of resource record sets (for example, a group of weighted resource record sets) but is not another alias resource record set, we recommend that you associate a health check with all of the resource record sets in the alias target. For more information, see What Happens When You Omit Health Checks? (p. 267). We recommend that you set Evaluate Target Health to Yes only when you have enough idle capacity to handle the failure of one or more endpoints. Associate with Health Check/Health Check to Associate Select Yes if you want Amazon Route 53 to check the health of a specified endpoint and to respond to DNS queries using this resource record set only when the endpoint is healthy. Then select the health check that you want Amazon Route 53 to perform for this resource record set. Amazon Route 53 doesn't check the health of the endpoint specified in the resource record set, for example, the endpoint specified by the IP address in the Value field. When you select a health check for a resource record set, Amazon Route 53 checks the health of the endpoint that you specified in the health check. For information about how Amazon Route 53 determines whether an endpoint is healthy, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). Associating a health check with a resource record set is useful only when Amazon Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Amazon Route 53 to base the choice in part on the status of a health check. Use health checks only in the following configurations: • You're checking the health of the resource record sets in a weighted, latency, geolocation, or failover resource record set, and you specify health check IDs for all of the resource record sets. If the health check for a resource record set specifies an endpoint that is not healthy, Amazon Route 53 stops responding to queries using the value for that resource record set. • You select Yes for Evaluate Target Health for the resource record sets in an alias, weighted alias, latency alias, geolocation alias, or failover alias resource record set, and you specify health checks for all of the resource record sets that are referenced by the alias resource record sets. For geolocation resource record sets, if an endpoint is unhealthy, Amazon Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the United States, for North America, and for all locations (Location is Default). If the endpoint for the state resource record set is unhealthy, Amazon Route 53 checks the API Version 2013-04-01 200 Amazon Route 53 Developer Guide Values for Weighted Alias Resource Record Sets resource record sets for the United States, for North America, and for all locations, in that order, until it finds a resource record set for which the endpoint is healthy. If your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each HTTP server that is serving content for www.example.com. For the value of Domain Name, specify the domain name of the server (such as us-east-1-www.example.com), not the name of the resource record sets (example.com). Important In this configuration, if you create a health check for which the value of Domain Name matches the name of the resource record sets and then associate the health check with those resource record sets, health check results will be unpredictable. For more information about checking the health of endpoints, see Amazon Route 53 Health Checks and DNS Failover (p. 245). API Version 2013-04-01 201 Amazon Route 53 Developer Guide Values for Latency Resource Record Sets Values for Latency Resource Record Sets When you create latency resource record sets, you specify the following values: Note Creating latency resource record sets in private hosted zones is not supported. Topics • Name (p. 202) • Type (p. 202) • Alias (p. 202) • TTL (Time to Live) (p. 202) • Value (p. 203) • Routing Policy (p. 203) • Region (p. 203) • Set ID (p. 204) • Associate with Health Check/Health Check to Associate (p. 204) Name Enter the name of the domain or subdomain for which you're creating the resource record set. The default value is the name of the hosted zone. If you're creating a resource record set that has the same name as the hosted zone, don't enter a value (for example, an @ symbol) in the Name field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Enter the same name for all of the resource record sets in the group of latency resource record sets. You can use an asterisk (*) character in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. For more information, see Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3). Type The DNS record type. For more information, see Supported DNS Resource Record Types (p. 4). Select the value for Type based on how you want Amazon Route 53 to respond to DNS queries. Select the same value for all of the resource record sets in the group of latency resource record sets. Alias Select No. TTL (Time to Live) The amount of time, in seconds, that you want DNS recursive resolvers to cache information about this resource record set. If you specify a longer value (for example, 172800 seconds, or two days), you pay less for Amazon Route 53 service because recursive resolvers send requests to Amazon Route 53 less often. However, it takes longer for changes to the resource record set (for example, a new IP address) to take effect because recursive resolvers use the values in their cache for longer periods instead of asking Amazon Route 53 for the latest information. API Version 2013-04-01 202 Amazon Route 53 Developer Guide Values for Latency Resource Record Sets If you're associating this resource record set with a health check, we recommend that you specify a TTL of 60 seconds or less so clients respond quickly to changes in health status. You must specify the same value for TTL for all of the resource record sets in this group of latency resource record sets. Value Enter a value that is appropriate for the value of Type. For all types except CNAME, you can enter more than one value. Enter each value on a separate line. A — IPv4 address An IP address in IPv4 format, for example, 192.0.2.235. AAAA — IPv6 address An IP address in IPv6 format, for example, 2001:0db8:85a3:0:0:8a2e:0370:7334. CNAME — Canonical name The fully qualified domain name (for example, www.example.com) that you want Amazon Route 53 to return in response to DNS queries for this resource record set. A trailing dot is optional; Amazon Route 53 assumes that the domain name is fully qualified. This means that Amazon Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical. MX — Mail exchange A priority and a domain name that specifies a mail server, for example, 10 mailserver.example.com. PTR — Pointer The domain name that you want Amazon Route 53 to return. SPF — Sender Policy Framework An SPF record enclosed in quotation marks, for example, "v=spf1 ip4:192.168.0.1/16-all". SPF records are not recommended. For more information, see Supported DNS Resource Record Types (p. 4). SRV — Service locator An SRV record. For information about SRV record format, refer to the applicable documentation. The format of an SRV record is: [priority] [weight] [port] [server host name] For example: 1 10 5269 xmpp-server.example.com. TXT — Text A text record. Enclose text in quotation marks, for example, "Sample Text Entry". Routing Policy Select Latency. Region The Amazon EC2 region where the resource that you specified in this resource record set resides. Amazon Route 53 recommends an Amazon EC2 region based on other values that you've specified.We recommend that you not change this value. Note the following: • You can only create one latency resource record set for each Amazon EC2 region. API Version 2013-04-01 203 Amazon Route 53 Developer Guide Values for Latency Resource Record Sets • You aren't required to create latency resource record sets for all Amazon EC2 regions. Amazon Route 53 chooses the region with the best latency from among the regions for which you create latency resource record sets. • You can't create non-latency resource record sets that have the same values for Name and Type as latency resource record sets. • If you create a record tagged with the region cn-north-1, Amazon Route 53 always responds to queries from within China using this resource record set, regardless of the latency. For more information about using latency resource record sets, see Latency-Based Routing (p. 180). Set ID Enter a value that uniquely identifies this resource record set in the group of latency resource record sets. Associate with Health Check/Health Check to Associate Select Yes if you want Amazon Route 53 to check the health of a specified endpoint and to respond to DNS queries using this resource record set only when the endpoint is healthy. Then select the health check that you want Amazon Route 53 to perform for this resource record set. Amazon Route 53 doesn't check the health of the endpoint specified in the resource record set, for example, the endpoint specified by the IP address in the Value field. When you select a health check for a resource record set, Amazon Route 53 checks the health of the endpoint that you specified in the health check. For information about how Amazon Route 53 determines whether an endpoint is healthy, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). Associating a health check with a resource record set is useful only when Amazon Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Amazon Route 53 to base the choice in part on the status of a health check. Use health checks only in the following configurations: • You're checking the health of the resource record sets in a weighted, latency, geolocation, or failover resource record set, and you specify health check IDs for all of the resource record sets. If the health check for a resource record set specifies an endpoint that is not healthy, Amazon Route 53 stops responding to queries using the value for that resource record set. • You select Yes for Evaluate Target Health for the resource record sets in an alias, weighted alias, latency alias, geolocation alias, or failover alias resource record set, and you specify health checks for all of the resource record sets that are referenced by the alias resource record sets. For geolocation resource record sets, if an endpoint is unhealthy, Amazon Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the United States, for North America, and for all locations (Location is Default). If the endpoint for the state resource record set is unhealthy, Amazon Route 53 checks the resource record sets for the United States, for North America, and for all locations, in that order, until it finds a resource record set for which the endpoint is healthy. If your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each HTTP server that is serving content for www.example.com. For the value of Domain Name, specify the domain name of the server (such as us-east-1-www.example.com), not the name of the resource record sets (example.com). Important In this configuration, if you create a health check for which the value of Domain Name matches the name of the resource record sets and then associate the health check with those resource record sets, health check results will be unpredictable. API Version 2013-04-01 204 Amazon Route 53 Developer Guide Values for Latency Resource Record Sets For more information about checking the health of endpoints, see Amazon Route 53 Health Checks and DNS Failover (p. 245). API Version 2013-04-01 205 Amazon Route 53 Developer Guide Values for Latency Alias Resource Record Sets Values for Latency Alias Resource Record Sets When you create latency alias resource record sets, you specify the following values: Note Creating latency alias resource record sets in private hosted zones is not supported. Topics • Name (p. 206) • Type (p. 207) • Alias (p. 207) • Alias Target (p. 207) • Alias Hosted Zone ID (p. 209) • Routing Policy (p. 209) • Region (p. 209) • Set ID (p. 210) • Evaluate Target Health (p. 210) • Associate with Health Check/Health Check to Associate (p. 210) Name Enter the name of the domain or subdomain for which you're creating the resource record set. The default value is the name of the hosted zone. If you're creating a resource record set that has the same name as the hosted zone, don't enter a value (for example, an @ symbol) in the Name field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Enter the same name for all of the resource record sets in the group of latency resource record sets. You can use an asterisk (*) character in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. For more information, see Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3). The value that you specify depends in part on the AWS resource for which you're creating an alias resource record set: CloudFront Distributions Your CloudFront distribution must include an alternate domain name that matches the name of the resource record set. For example, if the name of the resource record set is acme.example.com, your CloudFront distribution must include acme.example.com as one of the alternate domain names. For more information, see Using Alternate Domain Names (CNAMEs) in the Amazon CloudFront Developer Guide. Amazon S3 Buckets The name of the resource record set must match the name of your Amazon S3 bucket. For example, if the name of your Amazon S3 bucket is acme.example.com, the name of this resource record set must also be acme.example.com. In addition, you must configure the bucket for website hosting. For more information, see Configure a Bucket for Website Hosting in the Amazon Simple Storage Service Developer Guide. API Version 2013-04-01 206 Amazon Route 53 Developer Guide Values for Latency Alias Resource Record Sets Type The DNS record type. For more information, see Supported DNS Resource Record Types (p. 4). Select the applicable value based on the AWS resource for which you're creating a resource record set: CloudFront distribution Select A — IPv4 address Elastic Beanstalk environment that has regionalized subdomains Select A — IPv4 address ELB load balancer Select A — IPv4 address or AAAA — IPv6 address Amazon S3 bucket Select A — IPv4 address Another resource record set in this hosted zone Select the type of the resource record set for which you're creating the alias. Select any value except NS or SOA. Select the same value for all of the resource record sets in the group of latency resource record sets. Alias Select Yes. Alias Target The value that you specify depends on the AWS resource for which you're creating an alias resource record set. CloudFront Distributions Note You can't create alias resource record sets for CloudFront distributions in a private hosted zone. For CloudFront distributions, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your CloudFront distribution – Choose Alias Target and choose a distribution from the list. If you have a lot of distributions, you can type the first few characters of the domain name for your distribution to filter the list. If your distribution doesn't appear in the list, note the following: • The name of this resource record set must match an alternate domain name in your distribution. • If you just added an alternate domain name to your distribution, it may take 15 minutes for your changes to propagate to all CloudFront edge locations. Until changes have propagated, Amazon Route 53 can't know about the new alternate domain name. • If you used different accounts to create your Amazon Route 53 hosted zone and your distribution – Enter the CloudFront domain name for the distribution, such as d111111abcdef8.cloudfront.net. If you used one AWS account to create the current hosted zone and a different account to create a distribution, the distribution will not appear in the Alias Targets list. API Version 2013-04-01 207 Amazon Route 53 Developer Guide Values for Latency Alias Resource Record Sets If you used one account to create the current hosted zone and one or more different accounts to create all of your distributions, the Alias Targets list shows No Targets Available under CloudFront Distributions. Important Do not route queries to a CloudFront distribution that has not propagated to all edge locations, or your users won't be able to access the applicable content. Your CloudFront distribution must include an alternate domain name that matches the name of the resource record set. For example, if the name of the resource record set is acme.example.com, your CloudFront distribution must include acme.example.com as one of the alternate domain names. For more information, see Using Alternate Domain Names (CNAMEs) in the Amazon CloudFront Developer Guide. Elastic Beanstalk environments that have regionalized subdomains For Elastic Beanstalk environments that have regionalized subdomains, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your Elastic Beanstalk environment – Choose Alias Target, and then choose an environment from the list. If you have a lot of environments, you can type the first few characters of the CNAME attribute for the environment to filter the list. • If you used different accounts to create your Amazon Route 53 hosted zone and your Elastic Beanstalk environment – Enter the CNAME attribute for the Elastic Beanstalk environment. ELB Load Balancers For ELB load balancers, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your load balancer – Choose Alias Target and choose a load balancer from the list. If you have a lot of load balancers, you can type the first few characters of the DNS name to filter the list. • If you used different accounts to create your Amazon Route 53 hosted zone and your load balancer – Enter the value that you got in the procedure Getting the DNS Name for an ELB Load Balancer (p. 185). If you used one AWS account to create the current hosted zone and a different account to create a load balancer, the load balancer will not appear in the Alias Targets list. If you used one account to create the current hosted zone and one or more different accounts to create all of your load balancers, the Alias Targets list shows No Targets Available under Elastic Load Balancers. In either case, the console prepends dualstack. to the DNS name. Amazon S3 Buckets For Amazon S3 buckets that are configured as website endpoints, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your Amazon S3 bucket – Choose Alias Target and choose a bucket from the list. If you have a lot of buckets, you can type the first few characters of the DNS name to filter the list. The value of Alias Target changes to the Amazon S3 website endpoint for your bucket. • If you used different accounts to create your Amazon Route 53 hosted zone and your Amazon S3 bucket – Enter the domain name of the Amazon S3 website endpoint in the following format: s3-website-region.amazonaws.com The region value represents the Amazon S3 region in which the bucket is hosted; for example, us-east-1. If you used one AWS account to create the current hosted zone and a different account to create an Amazon S3 bucket, the bucket will not appear in the Alias Targets list. API Version 2013-04-01 208 Amazon Route 53 Developer Guide Values for Latency Alias Resource Record Sets If you used one account to create the current hosted zone and one or more different accounts to create all of your Amazon S3 buckets, the Alias Targets list shows No Targets Available under S3 Website Endpoints. In a group of weighted alias, latency alias, failover alias, or geolocation alias resource record sets, you can create only one resource record set that routes queries to an Amazon S3 bucket because the name of the resource record set must match the name of the bucket and bucket names must be globally unique. The name of the resource record set must match the name of your Amazon S3 bucket. For example, if the name of your Amazon S3 bucket is acme.example.com, the name of this resource record set must also be acme.example.com. You must configure the bucket for website hosting. For more information, see Configure a Bucket for Website Hosting in the Amazon Simple Storage Service Developer Guide. Resource Record Sets in this Hosted Zone For resource record sets in this hosted zone, choose Alias Target and choose the applicable resource record set. If you have a lot of resource record sets, you can type the first few characters of the name to filter the list. If the hosted zone contains only the default NS and SOA resource record sets, the Alias Targets list shows No Targets Available. Alias Hosted Zone ID This value appears automatically based on the value that you selected or entered for Alias Target. Routing Policy Select Latency. Note Creating latency alias resource record sets in a private hosted zone is unsupported. Region The Amazon EC2 region where the resource that you specified in this resource record set resides. Amazon Route 53 recommends an Amazon EC2 region based on other values that you've specified.We recommend that you not change this value. Note the following: • You can only create one latency resource record set for each Amazon EC2 region. • You aren't required to create latency resource record sets for all Amazon EC2 regions. Amazon Route 53 chooses the region with the best latency from among the regions for which you create latency resource record sets. • You can't create non-latency resource record sets that have the same values for Name and Type as latency resource record sets. • If you create a record tagged with the region cn-north-1, Amazon Route 53 always responds to queries from within China using this resource record set, regardless of the latency. For more information about using latency resource record sets, see Latency-Based Routing (p. 180). API Version 2013-04-01 209 Amazon Route 53 Developer Guide Values for Latency Alias Resource Record Sets Set ID Enter a value that uniquely identifies this resource record set in the group of latency resource record sets. Evaluate Target Health Select Yes if you want Amazon Route 53 to determine whether to respond to DNS queries using this resource record set by checking the health of the resource record set specified by Alias Target. Some AWS resources have special requirements: • CloudFront distributions – You cannot set Evaluate Target Health to Yes when the alias target is a CloudFront distribution. • Elastic Beanstalk environments that have regionalized endpoints – If you specify an Elastic Beanstalk environment in Alias Target and the environment contains an ELB load balancer, Elastic Load Balancing routes queries only to the healthy Amazon EC2 instances that are registered with the load balancer. (An environment automatically contains an ELB load balancer if it includes more than one Amazon EC2 instance.) If you set Evaluate Target Health to Yes and either no Amazon EC2 instances are healthy or the load balancer itself is unhealthy, Amazon Route 53 routes queries to other available resources that are healthy, if any. If the environment contains a single Amazon EC2 instance, there are no special requirements. • ELB load balancers – If you specify an ELB load balancer in Alias Target, Elastic Load Balancing routes queries only to the healthy Amazon EC2 instances that are registered with the load balancer. If you set Evaluate Target Health to Yes and either no Amazon EC2 instances are healthy or the load balancer itself is unhealthy, Amazon Route 53 routes queries to other resources. When you create a load balancer, you configure settings for Elastic Load Balancing health checks; they're not Amazon Route 53 health checks, but they perform a similar function. Do not create Amazon Route 53 health checks for the Amazon EC2 instances that you register with an ELB load balancer. For more information, see How Health Checks Work in Complex Amazon Route 53 Configurations (p. 264). • Other resource record sets – If the AWS resource that you specify in Alias Target is a resource record set or a group of resource record sets (for example, a group of weighted resource record sets) but is not another alias resource record set, we recommend that you associate a health check with all of the resource record sets in the alias target. For more information, see What Happens When You Omit Health Checks? (p. 267). We recommend that you set Evaluate Target Health to Yes only when you have enough idle capacity to handle the failure of one or more endpoints. Associate with Health Check/Health Check to Associate Select Yes if you want Amazon Route 53 to check the health of a specified endpoint and to respond to DNS queries using this resource record set only when the endpoint is healthy. Then select the health check that you want Amazon Route 53 to perform for this resource record set. Amazon Route 53 doesn't check the health of the endpoint specified in the resource record set, for example, the endpoint specified by the IP address in the Value field. When you select a health check for a resource record set, Amazon Route 53 checks the health of the endpoint that you specified in the health check. For information about how Amazon Route 53 determines whether an endpoint is healthy, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). Associating a health check with a resource record set is useful only when Amazon Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Amazon Route 53 API Version 2013-04-01 210 Amazon Route 53 Developer Guide Values for Latency Alias Resource Record Sets to base the choice in part on the status of a health check. Use health checks only in the following configurations: • You're checking the health of the resource record sets in a weighted, latency, geolocation, or failover resource record set, and you specify health check IDs for all of the resource record sets. If the health check for a resource record set specifies an endpoint that is not healthy, Amazon Route 53 stops responding to queries using the value for that resource record set. • You select Yes for Evaluate Target Health for the resource record sets in an alias, weighted alias, latency alias, geolocation alias, or failover alias resource record set, and you specify health checks for all of the resource record sets that are referenced by the alias resource record sets. For geolocation resource record sets, if an endpoint is unhealthy, Amazon Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the United States, for North America, and for all locations (Location is Default). If the endpoint for the state resource record set is unhealthy, Amazon Route 53 checks the resource record sets for the United States, for North America, and for all locations, in that order, until it finds a resource record set for which the endpoint is healthy. If your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each HTTP server that is serving content for www.example.com. For the value of Domain Name, specify the domain name of the server (such as us-east-1-www.example.com), not the name of the resource record sets (example.com). Important In this configuration, if you create a health check for which the value of Domain Name matches the name of the resource record sets and then associate the health check with those resource record sets, health check results will be unpredictable. For more information about checking the health of endpoints, see Amazon Route 53 Health Checks and DNS Failover (p. 245). API Version 2013-04-01 211 Amazon Route 53 Developer Guide Values for Failover Resource Record Sets Values for Failover Resource Record Sets When you create failover resource record sets, you specify the following values: Note For information about creating failover resource record sets in a private hosted zone, see Configuring Failover in a Private Hosted Zone in the Amazon Route 53 Developer Guide. Topics • Name (p. 212) • Type (p. 212) • Alias (p. 212) • TTL (Time to Live) (p. 212) • Value (p. 213) • • • • Routing Policy (p. 213) Failover Record Type (p. 213) Set ID (p. 213) Associate with Health Check/Health Check to Associate (p. 214) Name Enter the name of the domain or subdomain for which you're creating the resource record set. The default value is the name of the hosted zone. If you're creating a resource record set that has the same name as the hosted zone, don't enter a value (for example, an @ symbol) in the Name field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Enter the same name for both of the resource record sets in the group of failover resource record sets. You can use an asterisk (*) character in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. For more information, see Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3). Type The DNS record type. For more information, see Supported DNS Resource Record Types (p. 4). Select any value except NS or SOA. Select the same value for both the primary and secondary failover resource record sets. Alias Select No. TTL (Time to Live) The amount of time, in seconds, that you want DNS recursive resolvers to cache information about this resource record set. If you specify a longer value (for example, 172800 seconds, or two days), you pay less for Amazon Route 53 service because recursive resolvers send requests to Amazon Route 53 less often. However, it takes longer for changes to the resource record set (for example, a new IP address) to take effect because recursive resolvers use the values in their cache for longer periods instead of asking Amazon Route 53 for the latest information. API Version 2013-04-01 212 Amazon Route 53 Developer Guide Values for Failover Resource Record Sets If you're associating this resource record set with a health check, we recommend that you specify a TTL of 60 seconds or less so clients respond quickly to changes in health status. You must specify the same value for TTL for the primary and secondary resource record sets. Value Enter a value that is appropriate for the value of Type. For all types except CNAME, you can enter more than one value. Enter each value on a separate line. A — IPv4 address An IP address in IPv4 format, for example, 192.0.2.235. AAAA — IPv6 address An IP address in IPv6 format, for example, 2001:0db8:85a3:0:0:8a2e:0370:7334. CNAME — Canonical name The fully qualified domain name (for example, www.example.com) that you want Amazon Route 53 to return in response to DNS queries for this resource record set. A trailing dot is optional; Amazon Route 53 assumes that the domain name is fully qualified. This means that Amazon Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical. MX — Mail exchange A priority and a domain name that specifies a mail server, for example, 10 mailserver.example.com. PTR — Pointer The domain name that you want Amazon Route 53 to return. SPF — Sender Policy Framework An SPF record enclosed in quotation marks, for example, "v=spf1 ip4:192.168.0.1/16-all". SPF records are not recommended. For more information, see Supported DNS Resource Record Types (p. 4). SRV — Service locator An SRV record. For information about SRV record format, refer to the applicable documentation. The format of an SRV record is: [priority] [weight] [port] [server host name] For example: 1 10 5269 xmpp-server.example.com. TXT — Text A text record. Enclose text in quotation marks, for example, "Sample Text Entry". Routing Policy Select Failover. Failover Record Type Choose the applicable value for this resource record set. For failover to function correctly, you must create one primary and one secondary failover resource record set. You can't create non-failover resource record sets that have the same values for Name and Type as failover resource record sets. Set ID Enter a value that uniquely identifies the primary and secondary resource record sets. API Version 2013-04-01 213 Amazon Route 53 Developer Guide Values for Failover Resource Record Sets Associate with Health Check/Health Check to Associate Select Yes if you want Amazon Route 53 to check the health of a specified endpoint and to respond to DNS queries using this resource record set only when the endpoint is healthy. Then select the health check that you want Amazon Route 53 to perform for this resource record set. Amazon Route 53 doesn't check the health of the endpoint specified in the resource record set, for example, the endpoint specified by the IP address in the Value field. When you select a health check for a resource record set, Amazon Route 53 checks the health of the endpoint that you specified in the health check. For information about how Amazon Route 53 determines whether an endpoint is healthy, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). Associating a health check with a resource record set is useful only when Amazon Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Amazon Route 53 to base the choice in part on the status of a health check. Use health checks only in the following configurations: • You're checking the health of the resource record sets in a weighted, latency, geolocation, or failover resource record set, and you specify health check IDs for all of the resource record sets. If the health check for a resource record set specifies an endpoint that is not healthy, Amazon Route 53 stops responding to queries using the value for that resource record set. • You select Yes for Evaluate Target Health for the resource record sets in an alias, weighted alias, latency alias, geolocation alias, or failover alias resource record set, and you specify health checks for all of the resource record sets that are referenced by the alias resource record sets. For geolocation resource record sets, if an endpoint is unhealthy, Amazon Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the United States, for North America, and for all locations (Location is Default). If the endpoint for the state resource record set is unhealthy, Amazon Route 53 checks the resource record sets for the United States, for North America, and for all locations, in that order, until it finds a resource record set for which the endpoint is healthy. If your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each HTTP server that is serving content for www.example.com. For the value of Domain Name, specify the domain name of the server (such as us-east-1-www.example.com), not the name of the resource record sets (example.com). Important In this configuration, if you create a health check for which the value of Domain Name matches the name of the resource record sets and then associate the health check with those resource record sets, health check results will be unpredictable. For more information about checking the health of endpoints, see Amazon Route 53 Health Checks and DNS Failover (p. 245). API Version 2013-04-01 214 Amazon Route 53 Developer Guide Values for Failover Alias Resource Record Sets Values for Failover Alias Resource Record Sets When you create failover alias resource record sets, you specify the following values: Note For information about creating failover resource record sets in a private hosted zone, see Configuring Failover in a Private Hosted Zone in the Amazon Route 53 Developer Guide. Topics • Name (p. 215) • Type (p. 215) • Alias (p. 216) • Alias Target (p. 216) • Alias Hosted Zone ID (p. 218) • • • • Routing Policy (p. 218) Failover Record Type (p. 218) Set ID (p. 218) Associate with Health Check/Health Check to Associate (p. 218) Name Enter the name of the domain or subdomain for which you're creating the resource record set. The default value is the name of the hosted zone. If you're creating a resource record set that has the same name as the hosted zone, don't enter a value (for example, an @ symbol) in the Name field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Enter the same name for both of the resource record sets in the group of failover resource record sets. You can use an asterisk (*) character in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. For more information, see Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3). The value that you specify depends in part on the AWS resource for which you're creating an alias resource record set: CloudFront Distributions Your CloudFront distribution must include an alternate domain name that matches the name of the resource record set. For example, if the name of the resource record set is acme.example.com, your CloudFront distribution must include acme.example.com as one of the alternate domain names. For more information, see Using Alternate Domain Names (CNAMEs) in the Amazon CloudFront Developer Guide. Amazon S3 Buckets The name of the resource record set must match the name of your Amazon S3 bucket. For example, if the name of your Amazon S3 bucket is acme.example.com, the name of this resource record set must also be acme.example.com. In addition, you must configure the bucket for website hosting. For more information, see Configure a Bucket for Website Hosting in the Amazon Simple Storage Service Developer Guide. Type The DNS record type. For more information, see Supported DNS Resource Record Types (p. 4). API Version 2013-04-01 215 Amazon Route 53 Developer Guide Values for Failover Alias Resource Record Sets Select the applicable value based on the AWS resource for which you're creating a resource record set: CloudFront distribution Select A — IPv4 address Elastic Beanstalk environment that has regionalized subdomains Select A — IPv4 address ELB load balancer Select A — IPv4 address or AAAA — IPv6 address Amazon S3 bucket Select A — IPv4 address Another resource record set in this hosted zone Select the type of the resource record set for which you're creating the alias. Select any value except NS or SOA. Select any value except NS or SOA. Select the same value for both the primary and secondary failover resource record sets. Alias Select Yes. Note When you create primary and secondary failover resource record sets, you can optionally create one failover and one failover alias resource record set that have the same values for Name and Type. If you mix failover and failover alias resource record sets, either one can be the primary resource record set. Alias Target The value that you specify depends on the AWS resource for which you're creating an alias resource record set. CloudFront Distributions Note You can't create alias resource record sets for CloudFront distributions in a private hosted zone. For CloudFront distributions, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your CloudFront distribution – Choose Alias Target and choose a distribution from the list. If you have a lot of distributions, you can type the first few characters of the domain name for your distribution to filter the list. If your distribution doesn't appear in the list, note the following: • The name of this resource record set must match an alternate domain name in your distribution. • If you just added an alternate domain name to your distribution, it may take 15 minutes for your changes to propagate to all CloudFront edge locations. Until changes have propagated, Amazon Route 53 can't know about the new alternate domain name. • If you used different accounts to create your Amazon Route 53 hosted zone and your distribution – Enter the CloudFront domain name for the distribution, such as d111111abcdef8.cloudfront.net. If you used one AWS account to create the current hosted zone and a different account to create a distribution, the distribution will not appear in the Alias Targets list. API Version 2013-04-01 216 Amazon Route 53 Developer Guide Values for Failover Alias Resource Record Sets If you used one account to create the current hosted zone and one or more different accounts to create all of your distributions, the Alias Targets list shows No Targets Available under CloudFront Distributions. Important Do not route queries to a CloudFront distribution that has not propagated to all edge locations, or your users won't be able to access the applicable content. Your CloudFront distribution must include an alternate domain name that matches the name of the resource record set. For example, if the name of the resource record set is acme.example.com, your CloudFront distribution must include acme.example.com as one of the alternate domain names. For more information, see Using Alternate Domain Names (CNAMEs) in the Amazon CloudFront Developer Guide. Elastic Beanstalk environments that have regionalized subdomains For Elastic Beanstalk environments that have regionalized subdomains, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your Elastic Beanstalk environment – Choose Alias Target, and then choose an environment from the list. If you have a lot of environments, you can type the first few characters of the CNAME attribute for the environment to filter the list. • If you used different accounts to create your Amazon Route 53 hosted zone and your Elastic Beanstalk environment – Enter the CNAME attribute for the Elastic Beanstalk environment. ELB Load Balancers For ELB load balancers, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your load balancer – Choose Alias Target and choose a load balancer from the list. If you have a lot of load balancers, you can type the first few characters of the DNS name to filter the list. • If you used different accounts to create your Amazon Route 53 hosted zone and your load balancer – Enter the value that you got in the procedure Getting the DNS Name for an ELB Load Balancer (p. 185). If you used one AWS account to create the current hosted zone and a different account to create a load balancer, the load balancer will not appear in the Alias Targets list. If you used one account to create the current hosted zone and one or more different accounts to create all of your load balancers, the Alias Targets list shows No Targets Available under Elastic Load Balancers. In either case, the console prepends dualstack. to the DNS name. Amazon S3 Buckets For Amazon S3 buckets that are configured as website endpoints, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your Amazon S3 bucket – Choose Alias Target and choose a bucket from the list. If you have a lot of buckets, you can type the first few characters of the DNS name to filter the list. The value of Alias Target changes to the Amazon S3 website endpoint for your bucket. • If you used different accounts to create your Amazon Route 53 hosted zone and your Amazon S3 bucket – Enter the domain name of the Amazon S3 website endpoint in the following format: s3-website-region.amazonaws.com The region value represents the Amazon S3 region in which the bucket is hosted; for example, us-east-1. If you used one AWS account to create the current hosted zone and a different account to create an Amazon S3 bucket, the bucket will not appear in the Alias Targets list. API Version 2013-04-01 217 Amazon Route 53 Developer Guide Values for Failover Alias Resource Record Sets If you used one account to create the current hosted zone and one or more different accounts to create all of your Amazon S3 buckets, the Alias Targets list shows No Targets Available under S3 Website Endpoints. In a group of weighted alias, latency alias, failover alias, or geolocation alias resource record sets, you can create only one resource record set that routes queries to an Amazon S3 bucket because the name of the resource record set must match the name of the bucket and bucket names must be globally unique. The name of the resource record set must match the name of your Amazon S3 bucket. For example, if the name of your Amazon S3 bucket is acme.example.com, the name of this resource record set must also be acme.example.com. You must configure the bucket for website hosting. For more information, see Configure a Bucket for Website Hosting in the Amazon Simple Storage Service Developer Guide. Resource Record Sets in this Hosted Zone For resource record sets in this hosted zone, choose Alias Target and choose the applicable resource record set. If you have a lot of resource record sets, you can type the first few characters of the name to filter the list. If the hosted zone contains only the default NS and SOA resource record sets, the Alias Targets list shows No Targets Available. Alias Hosted Zone ID This value appears automatically based on the value that you selected or entered for Alias Target. Routing Policy Select Failover. Failover Record Type Choose the applicable value for this resource record set. For failover to function correctly, you must create one primary and one secondary failover resource record set. You can't create non-failover resource record sets that have the same values for Name and Type as failover resource record sets. Set ID Enter a value that uniquely identifies the primary and secondary resource record sets. Associate with Health Check/Health Check to Associate Select Yes if you want Amazon Route 53 to check the health of a specified endpoint and to respond to DNS queries using this resource record set only when the endpoint is healthy. Then select the health check that you want Amazon Route 53 to perform for this resource record set. Amazon Route 53 doesn't check the health of the endpoint specified in the resource record set, for example, the endpoint specified by the IP address in the Value field. When you select a health check for a resource record set, Amazon Route 53 checks the health of the endpoint that you specified in the health check. For information about how Amazon Route 53 determines whether an endpoint is healthy, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). API Version 2013-04-01 218 Amazon Route 53 Developer Guide Values for Failover Alias Resource Record Sets Associating a health check with a resource record set is useful only when Amazon Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Amazon Route 53 to base the choice in part on the status of a health check. Use health checks only in the following configurations: • You're checking the health of the resource record sets in a weighted, latency, geolocation, or failover resource record set, and you specify health check IDs for all of the resource record sets. If the health check for a resource record set specifies an endpoint that is not healthy, Amazon Route 53 stops responding to queries using the value for that resource record set. • You select Yes for Evaluate Target Health for the resource record sets in an alias, weighted alias, latency alias, geolocation alias, or failover alias resource record set, and you specify health checks for all of the resource record sets that are referenced by the alias resource record sets. For geolocation resource record sets, if an endpoint is unhealthy, Amazon Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the United States, for North America, and for all locations (Location is Default). If the endpoint for the state resource record set is unhealthy, Amazon Route 53 checks the resource record sets for the United States, for North America, and for all locations, in that order, until it finds a resource record set for which the endpoint is healthy. If your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each HTTP server that is serving content for www.example.com. For the value of Domain Name, specify the domain name of the server (such as us-east-1-www.example.com), not the name of the resource record sets (example.com). Important In this configuration, if you create a health check for which the value of Domain Name matches the name of the resource record sets and then associate the health check with those resource record sets, health check results will be unpredictable. For more information about checking the health of endpoints, see Amazon Route 53 Health Checks and DNS Failover (p. 245). API Version 2013-04-01 219 Amazon Route 53 Developer Guide Values for Geolocation Resource Record Sets Values for Geolocation Resource Record Sets When you create geolocation resource record sets, you specify the following values: Note Creating geolocation resource record sets in private hosted zones is not supported. Topics • Name (p. 220) • Type (p. 220) • Alias (p. 220) • TTL (Time to Live) (p. 220) • Value (p. 221) • Routing Policy (p. 221) • Location (p. 221) • Sublocation (p. 222) • Set ID (p. 223) • Associate with Health Check/Health Check to Associate (p. 223) Name Enter the name of the domain or subdomain for which you're creating the resource record set. The default value is the name of the hosted zone. If you're creating a resource record set that has the same name as the hosted zone, don't enter a value (for example, an @ symbol) in the Name field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Enter the same name for all of the resource record sets in the group of geolocation resource record sets. You can use an asterisk (*) character in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. For more information, see Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3). Type The DNS record type. For more information, see Supported DNS Resource Record Types (p. 4). Select the same value for all of the resource record sets in the group of geolocation resource record sets. Alias Select No. TTL (Time to Live) The amount of time, in seconds, that you want DNS recursive resolvers to cache information about this resource record set. If you specify a longer value (for example, 172800 seconds, or two days), you pay less for Amazon Route 53 service because recursive resolvers send requests to Amazon Route 53 less often. However, it takes longer for changes to the resource record set (for example, a new IP address) to take effect because recursive resolvers use the values in their cache for longer periods instead of asking Amazon Route 53 for the latest information. API Version 2013-04-01 220 Amazon Route 53 Developer Guide Values for Geolocation Resource Record Sets If you're associating this resource record set with a health check, we recommend that you specify a TTL of 60 seconds or less so clients respond quickly to changes in health status. You must specify the same value for TTL for all of the resource record sets in this group of geolocation resource record sets. Value Enter a value that is appropriate for the value of Type. For all types except CNAME, you can enter more than one value. Enter each value on a separate line. A — IPv4 address An IP address in IPv4 format, for example, 192.0.2.235. AAAA — IPv6 address An IP address in IPv6 format, for example, 2001:0db8:85a3:0:0:8a2e:0370:7334. CNAME — Canonical name The fully qualified domain name (for example, www.example.com) that you want Amazon Route 53 to return in response to DNS queries for this resource record set. A trailing dot is optional; Amazon Route 53 assumes that the domain name is fully qualified. This means that Amazon Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical. MX — Mail exchange A priority and a domain name that specifies a mail server, for example, 10 mailserver.example.com. PTR — Pointer The domain name that you want Amazon Route 53 to return. SPF — Sender Policy Framework An SPF record enclosed in quotation marks, for example, "v=spf1 ip4:192.168.0.1/16-all". SPF records are not recommended. For more information, see Supported DNS Resource Record Types (p. 4). SRV — Service locator An SRV record. For information about SRV record format, refer to the applicable documentation. The format of an SRV record is: [priority] [weight] [port] [server host name] For example: 1 10 5269 xmpp-server.example.com. TXT — Text A text record. Enclose text in quotation marks, for example, "Sample Text Entry". Routing Policy Select Geolocation. Location When you configure Amazon Route 53 to respond to DNS queries based on the location from which the queries originated, select the continent or country for which you want Amazon Route 53 to respond with the settings in this resource record set. If you want Amazon Route 53 to respond to DNS queries for individual states in the United States, select United States from the Location list, and then select the state from the Sublocation list. API Version 2013-04-01 221 Amazon Route 53 Developer Guide Values for Geolocation Resource Record Sets Important We recommend that you create one geolocation resource record set for which the value of Location is Default to cover geographic locations for which you haven't created resource record sets and to cover IP addresses for which Amazon Route 53 can't identify a location. You can't create non-geolocation resource record sets that have the same values for Name and Type as geolocation resource record sets. For more information, see Geolocation Routing (p. 181). Here are the countries that Amazon Route 53 associates with each continent. The country codes are from ISO 3166. For more information, see the Wikipedia article ISO 3166-1 alpha-2: Africa (AF) AO, BF, BI, BJ, BW, CD, CF, CG, CI, CM, CV, DJ, DZ, EG, ER, ET, GA, GH, GM, GN, GQ, GW, KE, KM, LR, LS, LY, MA, MG, ML, MR, MU, MW, MZ, NA, NE, NG, RE, RW, SC, SD, SH, SL, SN, SO, SS, ST, SZ, TD, TG, TN, TZ, UG, YT, ZA, ZM, ZW Antarctica (AN) AQ, GS, TF Asia (AS) AE, AF, AM, AZ, BD, BH, BN, BT, CC, CN, GE, HK, ID, IL, IN, IO, IQ, IR, JO, JP, KG, KH, KP, KR, KW, KZ, LA, LB, LK, MM, MN, MO, MV, MY, NP, OM, PH, PK, PS, QA, SA, SG, SY, TH, TJ, TM, TR, TW, UZ, VN, YE Europe (EU) AD, AL, AT, AX, BA, BE, BG, BY, CH, CY, CZ, DE, DK, EE, ES, FI, FO, FR, GB, GG, GI, GR, HR, HU, IE, IM, IS, IT, JE, LI, LT, LU, LV, MC, MD, ME, MK, MT, NL, NO, PL, PT, RO, RS, RU, SE, SI, SJ, SK, SM, UA, VA, XK North America (NA) AG, AI, AW, BB, BL, BM, BQ, BS, BZ, CA, CR, CU, CW, DM, DO, GD, GL, GP, GT, HN, HT, JM, KN, KY, LC, MF, MQ, MS, MX, NI, PA, PM, PR, SV, SX, TC, TT, US, VC, VG, VI Oceania (OC) AS, AU, CK, FJ, FM, GU, KI, MH, MP, NC, NF, NR, NU, NZ, PF, PG, PN, PW, SB, TK, TL, TO, TV, UM, VU, WF, WS South America (SA) AR, BO, BR, CL, CO, EC, FK, GF, GY, PE, PY, SR, UY, VE Note Amazon Route 53 doesn't support creating geolocation resource record sets for the following countries: Bouvet Island (BV), Christmas Island (CX), Western Sahara (EH), and Heard Island and McDonald Islands (HM). No data is available about IP addresses for these countries. Sublocation When you configure Amazon Route 53 to respond to DNS queries based on the state of the United States from which the queries originated, select the state from the Sublocations list. United States territories (for example, Puerto Rico) are listed as countries in the Location list. Important Some IP addresses are associated with the United States, but not with an individual state. If you create resource record sets for all of the states in the United States, we recommend that you also create a resource record set for the United States to route queries for these unassociated IP addresses. If you don't create a resource record set for the United States, Amazon Route 53 responds to DNS queries from unassociated United States IP addresses with settings from the default geolocation resource record set (if you created one) or with a "no answer" response. API Version 2013-04-01 222 Amazon Route 53 Developer Guide Values for Geolocation Resource Record Sets Set ID Enter a value that uniquely identifies this resource record set in the group of geolocation resource record sets. Associate with Health Check/Health Check to Associate Select Yes if you want Amazon Route 53 to check the health of a specified endpoint and to respond to DNS queries using this resource record set only when the endpoint is healthy. Then select the health check that you want Amazon Route 53 to perform for this resource record set. Amazon Route 53 doesn't check the health of the endpoint specified in the resource record set, for example, the endpoint specified by the IP address in the Value field. When you select a health check for a resource record set, Amazon Route 53 checks the health of the endpoint that you specified in the health check. For information about how Amazon Route 53 determines whether an endpoint is healthy, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). Associating a health check with a resource record set is useful only when Amazon Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Amazon Route 53 to base the choice in part on the status of a health check. Use health checks only in the following configurations: • You're checking the health of the resource record sets in a weighted, latency, geolocation, or failover resource record set, and you specify health check IDs for all of the resource record sets. If the health check for a resource record set specifies an endpoint that is not healthy, Amazon Route 53 stops responding to queries using the value for that resource record set. • You select Yes for Evaluate Target Health for the resource record sets in an alias, weighted alias, latency alias, geolocation alias, or failover alias resource record set, and you specify health checks for all of the resource record sets that are referenced by the alias resource record sets. For geolocation resource record sets, if an endpoint is unhealthy, Amazon Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the United States, for North America, and for all locations (Location is Default). If the endpoint for the state resource record set is unhealthy, Amazon Route 53 checks the resource record sets for the United States, for North America, and for all locations, in that order, until it finds a resource record set for which the endpoint is healthy. If your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each HTTP server that is serving content for www.example.com. For the value of Domain Name, specify the domain name of the server (such as us-east-1-www.example.com), not the name of the resource record sets (example.com). Important In this configuration, if you create a health check for which the value of Domain Name matches the name of the resource record sets and then associate the health check with those resource record sets, health check results will be unpredictable. For more information about checking the health of endpoints, see Amazon Route 53 Health Checks and DNS Failover (p. 245). API Version 2013-04-01 223 Amazon Route 53 Developer Guide Values for Geolocation Alias Resource Record Sets Values for Geolocation Alias Resource Record Sets When you create geolocation alias resource record sets, you specify the following values: Note Creating geolocation alias resource record sets in private hosted zones is not supported. Topics • Name (p. 224) • Type (p. 225) • Alias (p. 225) • Alias Target (p. 225) • Alias Hosted Zone ID (p. 227) • • • • • • Routing Policy (p. 227) Location (p. 227) Sublocation (p. 228) Set ID (p. 228) Evaluate Target Health (p. 228) Associate with Health Check/Health Check to Associate (p. 229) Name Enter the name of the domain or subdomain for which you're creating the resource record set. The default value is the name of the hosted zone. If you're creating a resource record set that has the same name as the hosted zone, don't enter a value (for example, an @ symbol) in the Name field. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS Domain Name Format (p. 2). Enter the same name for all of the resource record sets in the group of geolocation resource record sets. You can use an asterisk (*) character in the name. DNS treats the * character either as a wildcard or as the * character (ASCII 42), depending on where it appears in the name. For more information, see Using an Asterisk (*) in the Names of Hosted Zones and Resource Record Sets (p. 3). The value that you specify depends in part on the AWS resource for which you're creating an alias resource record set: CloudFront Distributions Your CloudFront distribution must include an alternate domain name that matches the name of the resource record set. For example, if the name of the resource record set is acme.example.com, your CloudFront distribution must include acme.example.com as one of the alternate domain names. For more information, see Using Alternate Domain Names (CNAMEs) in the Amazon CloudFront Developer Guide. Amazon S3 Buckets The name of the resource record set must match the name of your Amazon S3 bucket. For example, if the name of your Amazon S3 bucket is acme.example.com, the name of this resource record set must also be acme.example.com. In addition, you must configure the bucket for website hosting. For more information, see Configure a Bucket for Website Hosting in the Amazon Simple Storage Service Developer Guide. API Version 2013-04-01 224 Amazon Route 53 Developer Guide Values for Geolocation Alias Resource Record Sets Type The DNS record type. For more information, see Supported DNS Resource Record Types (p. 4). Select the applicable value based on the AWS resource for which you're creating a resource record set: CloudFront distribution Select A — IPv4 address Elastic Beanstalk environment that has regionalized subdomains Select A — IPv4 address ELB load balancer Select A — IPv4 address or AAAA — IPv6 address Amazon S3 bucket Select A — IPv4 address Another resource record set in this hosted zone Select the type of the resource record set for which you're creating the alias. Select any value except NS or SOA. Select the same value for all of the resource record sets in the group of geolocation resource record sets. Alias Select Yes. Alias Target The value that you specify depends on the AWS resource for which you're creating an alias resource record set. CloudFront Distributions Note You can't create alias resource record sets for CloudFront distributions in a private hosted zone. For CloudFront distributions, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your CloudFront distribution – Choose Alias Target and choose a distribution from the list. If you have a lot of distributions, you can type the first few characters of the domain name for your distribution to filter the list. If your distribution doesn't appear in the list, note the following: • The name of this resource record set must match an alternate domain name in your distribution. • If you just added an alternate domain name to your distribution, it may take 15 minutes for your changes to propagate to all CloudFront edge locations. Until changes have propagated, Amazon Route 53 can't know about the new alternate domain name. • If you used different accounts to create your Amazon Route 53 hosted zone and your distribution – Enter the CloudFront domain name for the distribution, such as d111111abcdef8.cloudfront.net. If you used one AWS account to create the current hosted zone and a different account to create a distribution, the distribution will not appear in the Alias Targets list. API Version 2013-04-01 225 Amazon Route 53 Developer Guide Values for Geolocation Alias Resource Record Sets If you used one account to create the current hosted zone and one or more different accounts to create all of your distributions, the Alias Targets list shows No Targets Available under CloudFront Distributions. Important Do not route queries to a CloudFront distribution that has not propagated to all edge locations, or your users won't be able to access the applicable content. Your CloudFront distribution must include an alternate domain name that matches the name of the resource record set. For example, if the name of the resource record set is acme.example.com, your CloudFront distribution must include acme.example.com as one of the alternate domain names. For more information, see Using Alternate Domain Names (CNAMEs) in the Amazon CloudFront Developer Guide. Elastic Beanstalk environments that have regionalized subdomains For Elastic Beanstalk environments that have regionalized subdomains, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your Elastic Beanstalk environment – Choose Alias Target, and then choose an environment from the list. If you have a lot of environments, you can type the first few characters of the CNAME attribute for the environment to filter the list. • If you used different accounts to create your Amazon Route 53 hosted zone and your Elastic Beanstalk environment – Enter the CNAME attribute for the Elastic Beanstalk environment. ELB Load Balancers For ELB load balancers, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your load balancer – Choose Alias Target and choose a load balancer from the list. If you have a lot of load balancers, you can type the first few characters of the DNS name to filter the list. • If you used different accounts to create your Amazon Route 53 hosted zone and your load balancer – Enter the value that you got in the procedure Getting the DNS Name for an ELB Load Balancer (p. 185). If you used one AWS account to create the current hosted zone and a different account to create a load balancer, the load balancer will not appear in the Alias Targets list. If you used one account to create the current hosted zone and one or more different accounts to create all of your load balancers, the Alias Targets list shows No Targets Available under Elastic Load Balancers. In either case, the console prepends dualstack. to the DNS name. Amazon S3 Buckets For Amazon S3 buckets that are configured as website endpoints, do one of the following: • If you used the same account to create your Amazon Route 53 hosted zone and your Amazon S3 bucket – Choose Alias Target and choose a bucket from the list. If you have a lot of buckets, you can type the first few characters of the DNS name to filter the list. The value of Alias Target changes to the Amazon S3 website endpoint for your bucket. • If you used different accounts to create your Amazon Route 53 hosted zone and your Amazon S3 bucket – Enter the domain name of the Amazon S3 website endpoint in the following format: s3-website-region.amazonaws.com The region value represents the Amazon S3 region in which the bucket is hosted; for example, us-east-1. If you used one AWS account to create the current hosted zone and a different account to create an Amazon S3 bucket, the bucket will not appear in the Alias Targets list. API Version 2013-04-01 226 Amazon Route 53 Developer Guide Values for Geolocation Alias Resource Record Sets If you used one account to create the current hosted zone and one or more different accounts to create all of your Amazon S3 buckets, the Alias Targets list shows No Targets Available under S3 Website Endpoints. In a group of weighted alias, latency alias, failover alias, or geolocation alias resource record sets, you can create only one resource record set that routes queries to an Amazon S3 bucket because the name of the resource record set must match the name of the bucket and bucket names must be globally unique. The name of the resource record set must match the name of your Amazon S3 bucket. For example, if the name of your Amazon S3 bucket is acme.example.com, the name of this resource record set must also be acme.example.com. You must configure the bucket for website hosting. For more information, see Configure a Bucket for Website Hosting in the Amazon Simple Storage Service Developer Guide. Resource Record Sets in this Hosted Zone For resource record sets in this hosted zone, choose Alias Target and choose the applicable resource record set. If you have a lot of resource record sets, you can type the first few characters of the name to filter the list. If the hosted zone contains only the default NS and SOA resource record sets, the Alias Targets list shows No Targets Available. Alias Hosted Zone ID This value appears automatically based on the value that you selected or entered for Alias Target. Routing Policy Select Geolocation. Note Creating geolocation alias resource record sets in a private hosted zone is unsupported. Location When you configure Amazon Route 53 to respond to DNS queries based on the location from which the queries originated, select the continent or country for which you want Amazon Route 53 to respond with the settings in this resource record set. If you want Amazon Route 53 to respond to DNS queries for individual states in the United States, select United States from the Location list, and then select the state from the Sublocation list. Important We recommend that you create one geolocation resource record set for which the value of Location is Default to cover geographic locations for which you haven't created resource record sets and to cover IP addresses for which Amazon Route 53 can't identify a location. You can't create non-geolocation resource record sets that have the same values for Name and Type as geolocation resource record sets. For more information, see Geolocation Routing (p. 181). Here are the countries that Amazon Route 53 associates with each continent. The country codes are from ISO 3166. For more information, see the Wikipedia article ISO 3166-1 alpha-2: API Version 2013-04-01 227 Amazon Route 53 Developer Guide Values for Geolocation Alias Resource Record Sets Africa (AF) AO, BF, BI, BJ, BW, CD, CF, CG, CI, CM, CV, DJ, DZ, EG, ER, ET, GA, GH, GM, GN, GQ, GW, KE, KM, LR, LS, LY, MA, MG, ML, MR, MU, MW, MZ, NA, NE, NG, RE, RW, SC, SD, SH, SL, SN, SO, SS, ST, SZ, TD, TG, TN, TZ, UG, YT, ZA, ZM, ZW Antarctica (AN) AQ, GS, TF Asia (AS) AE, AF, AM, AZ, BD, BH, BN, BT, CC, CN, GE, HK, ID, IL, IN, IO, IQ, IR, JO, JP, KG, KH, KP, KR, KW, KZ, LA, LB, LK, MM, MN, MO, MV, MY, NP, OM, PH, PK, PS, QA, SA, SG, SY, TH, TJ, TM, TR, TW, UZ, VN, YE Europe (EU) AD, AL, AT, AX, BA, BE, BG, BY, CH, CY, CZ, DE, DK, EE, ES, FI, FO, FR, GB, GG, GI, GR, HR, HU, IE, IM, IS, IT, JE, LI, LT, LU, LV, MC, MD, ME, MK, MT, NL, NO, PL, PT, RO, RS, RU, SE, SI, SJ, SK, SM, UA, VA, XK North America (NA) AG, AI, AW, BB, BL, BM, BQ, BS, BZ, CA, CR, CU, CW, DM, DO, GD, GL, GP, GT, HN, HT, JM, KN, KY, LC, MF, MQ, MS, MX, NI, PA, PM, PR, SV, SX, TC, TT, US, VC, VG, VI Oceania (OC) AS, AU, CK, FJ, FM, GU, KI, MH, MP, NC, NF, NR, NU, NZ, PF, PG, PN, PW, SB, TK, TL, TO, TV, UM, VU, WF, WS South America (SA) AR, BO, BR, CL, CO, EC, FK, GF, GY, PE, PY, SR, UY, VE Note Amazon Route 53 doesn't support creating geolocation resource record sets for the following countries: Bouvet Island (BV), Christmas Island (CX), Western Sahara (EH), and Heard Island and McDonald Islands (HM). No data is available about IP addresses for these countries. Sublocation When you configure Amazon Route 53 to respond to DNS queries based on the state of the United States from which the queries originated, select the state from the Sublocations list. United States territories (for example, Puerto Rico) are listed as countries in the Location list. Important Some IP addresses are associated with the United States, but not with an individual state. If you create resource record sets for all of the states in the United States, we recommend that you also create a resource record set for the United States to route queries for these unassociated IP addresses. If you don't create a resource record set for the United States, Amazon Route 53 responds to DNS queries from unassociated United States IP addresses with settings from the default geolocation resource record set (if you created one) or with a "no answer" response. Set ID Enter a value that uniquely identifies this resource record set in the group of geolocation resource record sets. Evaluate Target Health Select Yes if you want Amazon Route 53 to determine whether to respond to DNS queries using this resource record set by checking the health of the resource record set specified by Alias Target. Some AWS resources have special requirements: API Version 2013-04-01 228 Amazon Route 53 Developer Guide Values for Geolocation Alias Resource Record Sets • CloudFront distributions – You cannot set Evaluate Target Health to Yes when the alias target is a CloudFront distribution. • Elastic Beanstalk environments that have regionalized endpoints – If you specify an Elastic Beanstalk environment in Alias Target and the environment contains an ELB load balancer, Elastic Load Balancing routes queries only to the healthy Amazon EC2 instances that are registered with the load balancer. (An environment automatically contains an ELB load balancer if it includes more than one Amazon EC2 instance.) If you set Evaluate Target Health to Yes and either no Amazon EC2 instances are healthy or the load balancer itself is unhealthy, Amazon Route 53 routes queries to other available resources that are healthy, if any. If the environment contains a single Amazon EC2 instance, there are no special requirements. • ELB load balancers – If you specify an ELB load balancer in Alias Target, Elastic Load Balancing routes queries only to the healthy Amazon EC2 instances that are registered with the load balancer. If you set Evaluate Target Health to Yes and either no Amazon EC2 instances are healthy or the load balancer itself is unhealthy, Amazon Route 53 routes queries to other resources. When you create a load balancer, you configure settings for Elastic Load Balancing health checks; they're not Amazon Route 53 health checks, but they perform a similar function. Do not create Amazon Route 53 health checks for the Amazon EC2 instances that you register with an ELB load balancer. For more information, see How Health Checks Work in Complex Amazon Route 53 Configurations (p. 264). • Other resource record sets – If the AWS resource that you specify in Alias Target is a resource record set or a group of resource record sets (for example, a group of weighted resource record sets) but is not another alias resource record set, we recommend that you associate a health check with all of the resource record sets in the alias target. For more information, see What Happens When You Omit Health Checks? (p. 267). We recommend that you set Evaluate Target Health to Yes only when you have enough idle capacity to handle the failure of one or more endpoints. Associate with Health Check/Health Check to Associate Select Yes if you want Amazon Route 53 to check the health of a specified endpoint and to respond to DNS queries using this resource record set only when the endpoint is healthy. Then select the health check that you want Amazon Route 53 to perform for this resource record set. Amazon Route 53 doesn't check the health of the endpoint specified in the resource record set, for example, the endpoint specified by the IP address in the Value field. When you select a health check for a resource record set, Amazon Route 53 checks the health of the endpoint that you specified in the health check. For information about how Amazon Route 53 determines whether an endpoint is healthy, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). Associating a health check with a resource record set is useful only when Amazon Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Amazon Route 53 to base the choice in part on the status of a health check. Use health checks only in the following configurations: • You're checking the health of the resource record sets in a weighted, latency, geolocation, or failover resource record set, and you specify health check IDs for all of the resource record sets. If the health check for a resource record set specifies an endpoint that is not healthy, Amazon Route 53 stops responding to queries using the value for that resource record set. • You select Yes for Evaluate Target Health for the resource record sets in an alias, weighted alias, latency alias, geolocation alias, or failover alias resource record set, and you specify health checks for all of the resource record sets that are referenced by the alias resource record sets. API Version 2013-04-01 229 Amazon Route 53 Developer Guide Creating Resource Record Sets By Importing a Zone File For geolocation resource record sets, if an endpoint is unhealthy, Amazon Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the United States, for North America, and for all locations (Location is Default). If the endpoint for the state resource record set is unhealthy, Amazon Route 53 checks the resource record sets for the United States, for North America, and for all locations, in that order, until it finds a resource record set for which the endpoint is healthy. If your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each HTTP server that is serving content for www.example.com. For the value of Domain Name, specify the domain name of the server (such as us-east-1-www.example.com), not the name of the resource record sets (example.com). Important In this configuration, if you create a health check for which the value of Domain Name matches the name of the resource record sets and then associate the health check with those resource record sets, health check results will be unpredictable. For more information about checking the health of endpoints, see Amazon Route 53 Health Checks and DNS Failover (p. 245). Creating Resource Record Sets By Importing a Zone File If you're migrating from another DNS service provider, and if your current DNS service provider lets you export your current DNS settings to a zone file, you can quickly create all of the resource record sets for an Amazon Route 53 hosted zone by importing a zone file. Note A zone file uses a standard format known as BIND to represent resource record sets in a text format. For information about the format of a zone file, see the Wikipedia entry Zone file. Additional information is available in RFC 1034, Domain Names—Concepts and Facilities section 3.6.1, and RFC 1035, Domain Names—Implementation and Specification section 5. If you want to create resource record sets by importing a zone file, note the following: • The zone file must be in RFC-compliant format. • The hosted zone must be empty except for the default NS and SOA records. • The domain name of the resource record sets in the zone file must match the name of the hosted zone. • Amazon Route 53 supports the $ORIGIN and $TTL keywords. If the zone file includes $GENERATE or $INCLUDE keywords, the import fails and Amazon Route 53 returns an error. • When you import the zone file, Amazon Route 53 ignores the SOA record in the zone file. Amazon Route 53 also ignores any NS records that have the same name as the hosted zone. • You can import a maximum of 1000 resource record sets. If you need to import more than 1000 records, you may be able to use the BIND to Amazon Route 53 Conversion Tool. • When the name of a resource record set in the zone file includes a trailing dot (example.com.), the import process interprets the name as a fully qualified domain name and creates an Amazon Route 53 resource record set with that name. When the name of a resource record set in the zone file does not include a trailing dot (www), the import process concatenates that name with the domain name in the zone file (example.com) and creates an Amazon Route 53 resource record set with the concatenated name (www.example.com). If you use the GoDaddy export process to create a zone file, you might need to edit the zone file to add a trailing dot to MX resource record sets before you import the zone file into your hosted zone. The export process currently doesn't add a trailing dot to the fully qualified domain names of MX resource API Version 2013-04-01 230 Amazon Route 53 Developer Guide Creating Resource Record Sets By Importing a Zone File record sets, so the Amazon Route 53 import process adds the domain name to the name of the resource record set. For example, suppose you're importing resource record sets into the hosted zone example.com and the name of an MX record in the zone file is mail.example.com, with no trailing dot. The Amazon Route 53 import process creates an MX resource record set named mail.example.com.example.com. Important For CNAME, MX, PTR, and SRV resource record sets, this behavior also applies to the domain name that is included in the RDATA value. For example, suppose you have a zone file for example.com. If a CNAME resource record set in the zone file (support, without a trailing dot) has an RDATA value of www.example.com (also without a trailing dot), the import process creates an Amazon Route 53 resource record set with the name support.example.com that routes traffic to www.example.com.example.com. Before you import your zone file, review RDATA values and update as applicable. Amazon Route 53 doesn't support exporting resource record sets to a zone file. To create resource record sets by importing a zone file 1. 2. 3. Get a zone file from the DNS service provider that is currently servicing the domain. The process and terminology vary from one service provider to another. Refer to your provider's interface and documentation for information about exporting or saving your records in a zone file or a BIND file. If the process isn't obvious, try asking your current DNS provider's customer support for your records list or zone file information. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. On the Hosted Zones page, create a new hosted zone: a. b. c. 4. 5. 6. 7. Click Create Hosted Zone. Enter the name of your domain and, optionally, a comment. Note that the comment can't be edited later. Click Create. On the Hosted Zones page, double-click the name of your new hosted zone. Click Import Zone File. In the Import Zone File pane, paste the contents of your zone file into the Zone File text box. Click Import. Note Depending on the number of resource record sets in your zone file, you may have to wait a few minutes for the resource record sets to be created. 8. If you're using another DNS service for the domain (which is common if you registered the domain with another registrar), migrate DNS service to Amazon Route 53. When that step is complete, your registrar will start to identify Amazon Route 53 as your DNS service in response to DNS queries for your domain, and the queries will start being sent to Amazon Route 53 DNS servers. (Typically, there's a day or two of delay before DNS queries start being routed to Amazon Route 53 because information about your previous DNS service is cached on DNS resolvers for that long.) For more information, see Migrating DNS Service for an Existing Domain to Amazon Route 53 (p. 141). API Version 2013-04-01 231 Amazon Route 53 Developer Guide Editing Resource Record Sets Editing Resource Record Sets The following procedure explains how to edit resource record sets using the Amazon Route 53 console. For information about how to edit resource record sets using the Amazon Route 53 API, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. Note Your changes to resource record sets take time to propagate to the Amazon Route 53 DNS servers. Currently, the only way to verify that changes have propagated is to use the GetChange API action. Changes generally propagate to all Amazon Route 53 name servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. To edit resource record sets using the Amazon Route 53 console 1. If you're not editing alias resource record sets, skip to step 2. If you're editing alias resource record sets that route traffic to ELB load balancers, and if you created your Amazon Route 53 hosted zone and your load balancer using different accounts, perform the procedure Getting the DNS Name for an ELB Load Balancer (p. 185) to get the DNS name for the load balancer. 2. 3. 4. 5. 6. 7. If you're editing alias resource record sets for any other AWS resource, skip to step 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. On the Hosted Zones page, double-click the row for the hosted zone in which you want to edit resource record sets. Double-click the row for the resource record set that you want to edit. Enter the applicable values. For more information, see Values that You Specify When You Create or Edit Amazon Route 53 Resource Record Sets (p. 186). Click Save Record Set. If you're editing multiple resource record sets, repeat steps 4 through 6. Deleting Resource Record Sets The following procedure explains how to delete resource record sets using the Amazon Route 53 console. For information about how to delete resource record sets using the Amazon Route 53 API, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. Note Your changes to resource record sets take time to propagate to the Amazon Route 53 DNS servers. Currently, the only way to verify that changes have propagated is to use the GetChange API action. Changes generally propagate to all Amazon Route 53 name servers in a couple of minutes. In rare circumstances, propagation can take up to 30 minutes. To delete resource record sets 1. 2. 3. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. On the Hosted Zones page, double-click the row for the hosted zone that contains resource record sets that you want to delete. In the list of resource record sets, select the resource record set that you want to delete. API Version 2013-04-01 232 Amazon Route 53 Developer Guide Listing Resource Record Sets To select multiple, consecutive resource record sets, click the first row, hold the Shift key, and click the last row. To select multiple, nonconsecutive resource record sets, click the first row, hold the Ctrl key, and click additional rows. You cannot delete the resource record sets that have a value of NS or SOA for Type. 4. 5. Click Delete Record Set. Click OK to confirm. Listing Resource Record Sets The following procedure explains how to use the Amazon Route 53 console to list the resource record sets in a hosted zone. For information about how to list resource record sets using the Amazon Route 53 API, see GET ListResourceRecordSets in the Amazon Route 53 API Reference. To list resource record sets 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. On the Hosted Zones page, double-click the name of a hosted zone to see its Record Sets page. To display only selected resource record sets, enter the applicable search criteria above the list of resource record sets: • To display the resource record sets that have specific values in either the Name or Value field, enter a value in the Search field. For example, to display the resource record sets that have an IP address beginning with 192.0, type that value in the Search field. • To display only the resource record sets that have the same DNS record type, select the type in the drop down list. • To display only alias resource record sets, select Aliases Only. • To display only weighted resource record sets, select Weighted Only. API Version 2013-04-01 233 Amazon Route 53 Developer Guide Using Traffic Flow to Route DNS Traffic If you use multiple resources, such as web servers, in multiple locations, it can be a challenge to create resource record sets for a complex configuration that uses a combination of Amazon Route 53 routing policies—weighted, latency, failover, and geolocation. You can create resource record sets one at a time, but it's hard to keep track of the relationships among the resource record sets when you're reviewing the settings in a table in the console. If you're using the Amazon Route 53 console, Amazon Route 53 traffic flow provides a visual editor that helps you create complex trees in a fraction of the time with a fraction of the effort. You can save the configuration as a traffic policy and then associate the traffic policy with one or more domain names (such as example.com) or subdomain names (such as www.example.com), in the same hosted zone or in multiple hosted zones. (You can only use traffic flow to create configurations for public hosted zones.) You can also use the visual editor to quickly find resources that you need to update and apply the updates to one or more DNS names such as www.example.com. In addition, you can roll back the updates if the new configuration isn't performing as you expected it to. For example, using the traffic flow visual editor, you can easily create a configuration in which you use geolocation routing to route all users from one country to a single endpoint and then use latency routing to route all other users to AWS regions based on the latency between your users and those regions. You might also use failover routing to route users to a primary ELB load balancer within each region when the load balancer is functioning or to a secondary load balancer when the primary load balancer is unhealthy or is offline for maintenance. Here's an overview of how traffic flow works: 1. You use the visual editor to create a traffic policy. A traffic policy includes information about the routing configuration that you want to create: the routing policies that you want to use and the resources that you want to route DNS traffic to, such as the IP address of each EC2 instance and the domain name of each ELB load balancer. You can also associate health checks with your endpoints so that Amazon Route 53 routes traffic only to healthy resources. (Traffic flow also lets you route traffic to non-AWS resources.) 2. You create a policy record. This is where you specify the hosted zone (such as example.com) in which you want to create the configuration that you defined in your traffic policy. It's also where you specify the DNS name (such as www.example.com) that you want to associate the configuration with. You can create more than one policy record in the same hosted zone or in different hosted zones by using the same traffic policy. API Version 2013-04-01 234 Amazon Route 53 Developer Guide Creating and Managing Traffic Policies When you create a policy record, Amazon Route 53 creates a tree of resource record sets. The root resource record set appears in the list of resource record sets for your hosted zone. The root resource record set has the DNS name that you specified when you created the policy record. Amazon Route 53 also creates resource record sets for the entire rest of the tree, but it hides them from the list of resource record sets for your hosted zone. 3. When a user browses to www.example.com, Amazon Route 53 responds to the query based on the configuration in the traffic policy that you used to create the policy record. Topics • Creating and Managing Traffic Policies (p. 235) • Creating and Managing Policy Records (p. 242) Creating and Managing Traffic Policies Topics • Creating a Traffic Policy (p. 235) • Values that You Specify When You Create a Traffic Policy (p. 236) • Creating Additional Versions of a Traffic Policy (p. 238) • Creating a Traffic Policy by Importing a JSON Document (p. 239) • Viewing Traffic Policy Versions and the Associated Policy Records (p. 240) • Deleting Traffic Policy Versions and Traffic Policies (p. 241) Creating a Traffic Policy To create a traffic policy, perform the following procedure. To create a traffic policy 1. 2. 3. Design your configuration. For information about how complex DNS routing configurations work, see Configuring DNS Failover (p. 261) in Amazon Route 53 Health Checks and DNS Failover (p. 245). Based on the design for your configuration, create the health checks that you want to use for your endpoints. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. 4. 5. In the navigation pane, choose Traffic policies. Choose Create traffic policy. 6. On the Name policy page, specify the applicable values. For more information, see Values that You Specify When You Create a Traffic Policy (p. 236). Choose Next. 7. 8. On the policy name page, specify the applicable values. For more information, see Values that You Specify When You Create a Traffic Policy (p. 236). You can delete rules, endpoints, and branches of a traffic policy in the following ways: • To delete a rule or an endpoint, click the x in the upper-right corner of the box. Important If you delete a rule that has child rules and endpoints, Amazon Route 53 also deletes all of the children. API Version 2013-04-01 235 Amazon Route 53 Developer Guide Values that You Specify When You Create a Traffic Policy • If you connect two rules to the same child rule or endpoint and you want to delete one of the connections, pause your cursor on the connection that you want to delete, and click the x for that connection. 9. Choose Next. 10. Optional: Specify the settings to create one or more policy records in one hosted zone by using the new traffic policy. For more information, see Values that You Specify When You Create or Update a Policy Record (p. 243). You can also create policy records later, either in the same hosted zone or in additional hosted zones. If you don't want to create policy records now, choose Skip this step, and the console displays the list of traffic policies and policy records that you have created by using the current AWS account. 11. If you specified settings for policy records in the preceding step, choose Create policy record. Values that You Specify When You Create a Traffic Policy When you create a traffic policy, you specify the following values. • • • • • • • Policy name Version Version description DNS type Connect to Value type Value Policy name Enter a name that describes the traffic policy. This value appears in the list of traffic policies in the console. You can't change the name of a traffic policy after you create it. Version This value is assigned automatically by Amazon Route 53 when you create a traffic policy or a new version of an existing policy. Version description Enter a description that applies to this version of the traffic policy. This value appears in the list of traffic policy versions in the console. DNS type Choose the DNS type that you want Amazon Route 53 to assign to all of the resource record sets when you create a policy record by using this traffic policy version. For a list of supported types, see Supported DNS Resource Record Types (p. 4). Important If you're creating a new version of an existing traffic policy, you can change the DNS type. However, you can't edit a policy record and choose a traffic policy version that has a DNS type that is different from the traffic policy version that you used to create the policy record. For example, if you created a policy record by using a traffic policy version that has a DNS type of A, you can't edit the policy record and choose a traffic policy version that has any other value for DNS type. If you want to route traffic to the following AWS resources, choose the applicable value: • CloudFront distribution – Choose A: IP address in IPv4 format. API Version 2013-04-01 236 Amazon Route 53 Developer Guide Values that You Specify When You Create a Traffic Policy • ELB load balancer – Choose either A: IP address in IPv4 format or AAAA: IP address in IPv6 format. • Amazon S3 bucket configured as a website endpoint: Choose A: IP address in IPv4 format. Connect to Choose the applicable rule or endpoint based on the design for your configuration. Weighted rule Choose this option when you have multiple resources that perform the same function (for example, web servers that serve the same website) and you want Amazon Route 53 to route traffic to those resources in proportions that you specify (for example, 1/3rd to one server and 2/3rds to the other). For more information, see Weighted Routing (p. 179). Failover rule Choose this option when you want to configure active-passive failover, in which one resource takes all traffic when it's available and the other resource takes all traffic when the first resource isn't available. For more information, see Configuring Active-Passive Failover by Using Amazon Route 53 Failover and Failover Alias Resource Record Sets (p. 273). Geolocation rule Choose this option when you want Amazon Route 53 to respond to DNS queries based on the location of your users. For more information, see Geolocation Routing (p. 181). Latency rule Choose this option when you have resources in multiple Amazon EC2 data centers that perform the same function, and you want Amazon Route 53 to respond to DNS queries with the resources that provide the best latency. For more information, see Latency-Based Routing (p. 180). Endpoint Choose this option to specify the resource, such as a CloudFront distribution or an ELB load balancer, that you want to route DNS queries to. Existing rule Choose this option when you want to route DNS queries to an existing rule in this traffic policy. For example, you might create two or more geolocation rules that route queries for different countries to the same failover rule. The failover rule might then routes queries to two ELB load balancers. This option isn't available if the traffic policy doesn't include any rules. Existing endpoint Choose this option when you want to route DNS queries to an existing endpoint. For example, if you have two failover rules, you might want to route DNS requests for both On failover (secondary) options to the same ELB load balancer. This option isn't available if the traffic policy doesn't include any endpoints. Value type Choose the applicable option: CloudFront distribution Choose this option if you want to route traffic to a CloudFront distribution. The option is available only if you chose A: IP address in IPv4 format for DNS type. ELB load balancer Choose this option if you want to route traffic to an ELB load balancer. The option is available only if you chose either A: IP address in IPv4 format or AAAA: IP address in IPv6 format for DNS type. API Version 2013-04-01 237 Amazon Route 53 Developer Guide Creating Additional Versions of a Traffic Policy S3 website endpoint Choose this option if you want to route traffic to an Amazon S3 bucket that is configured as a website endpoint. The option is available only if you chose A: IP address in IPv4 format for DNS type. Type DNS type value Choose this option if you want Amazon Route 53 to respond to DNS queries using the value in the Value field. For example, if you chose A for the value of DNS type when you created this traffic policy, this option in the Value type list will be Type A value. This requires that you enter an IP address in IPv4 format in the Value field. Amazon Route 53 will respond to DNS queries that are routed to this endpoint with the IP address in the Value field. Value Choose or type a value based on the option that you chose for Value type: CloudFront distribution Choose a CloudFront distribution from the list of distributions that are associated with the current AWS account. ELB load balancer Choose an ELB load balancer from the list of ELB load balancers that are associated with the current AWS account. S3 website endpoint Choose an Amazon S3 bucket from the list of Amazon S3 buckets that are configured as website endpoints and that are associated with the current AWS account. Important When you create a policy record based on this traffic policy, the bucket that you choose here must match the domain name (such as www.example.com) that you specify for Policy record DNS name in the policy record. If Value and Policy record DNS name don't match, Amazon S3 won't respond to DNS queries for the domain name. Type DNS type value Enter a value that corresponds with the value that you specified for DNS type when you started this traffic policy. For example, if you chose MX for DNS type, type two values: the priority that you want to assign to a mail server and the domain name of the mail server, such as 10 sydney.mail.example.com. For more information about supported DNS types, see Supported DNS Resource Record Types (p. 4). Creating Additional Versions of a Traffic Policy When you edit a traffic policy, Amazon Route 53 automatically creates another version of the traffic policy and retains the previous versions unless you choose to delete them. The new version has the same name as the traffic policy that you're editing; it's distinguished from the original version by a version number that Amazon Route 53 increments automatically. You can base the new version of a traffic policy on any existing version of a traffic policy that has the same name. Amazon Route 53 doesn't reuse version numbers for new versions of a given traffic policy. For example, if you create three versions of MyTrafficPolicy, delete the last two versions, and then create another version, the new version is version 4. By retaining the previous versions, Amazon Route 53 ensures that you can roll back to a previous configuration if a new configuration doesn't route traffic as you wanted it to. To create a new traffic policy version, perform the following procedure. To create another version of a traffic policy 1. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. API Version 2013-04-01 238 Amazon Route 53 Developer Guide Creating a Traffic Policy by Importing a JSON Document 2. 3. In the navigation pane, choose Traffic policies. Choose the name of the traffic policy that you want to create a new version of. 4. In the Traffic policy versions table at the top of the page, select the check box for the traffic policy version that you want to use as a basis for the new traffic policy version. 5. 6. Choose Edit policy as new version. On the Update description page, type a description for the new traffic policy version. We recommend that you specify a description that distinguishes this version from other versions of the same traffic policy. When you create a new policy record, the value that you specify appears in the list of available versions for this traffic policy. Choose Next. 7. 8. Update the configuration as applicable. For more information, see Values that You Specify When You Create a Traffic Policy (p. 236). You can delete rules, endpoints, and branches of a traffic policy in the following ways: • To delete a rule or an endpoint, click the x in the upper-right corner of the box. Important If you delete a rule that has child rules and endpoints, Amazon Route 53 also deletes all of the children. • If you connect two rules to the same child rule or endpoint and you want to delete one of the connections, pause your cursor on the connection that you want to delete, and click the x for that connection. 9. When you're finished editing, choose Save as new version. 10. Optional: Specify the settings to create one or more policy records in one hosted zone by using the new traffic policy version. For more information, see Values that You Specify When You Create or Update a Policy Record (p. 243). You can also create policy records later, either in the same hosted zone or in additional hosted zones. If you don't want to create policy records now, choose Skip this step, and the console displays the list of traffic policies and policy records that you have created by using the current AWS account. 11. If you specified settings for policy records in the preceding step, choose Create policy record. Creating a Traffic Policy by Importing a JSON Document You can create a new traffic policy or a new version of an existing traffic policy by importing a document in JSON format that describes all of the endpoints and rules that you want to include in the traffic policy. For information about the format of the JSON document and several examples that you can copy and revise, see Traffic Policy Document Format in the Amazon Route 53 API Reference. The easiest way to get the JSON-formatted document for an existing traffic policy version is to use the get-traffic-policy command in the AWS CLI. For more information, see get-traffic-policy in the AWS Command Line Interface Reference. To create a traffic policy by importing a JSON document 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. To create a new traffic policy by importing a JSON document, perform the following steps: a. In the navigation pane, choose Traffic policies. API Version 2013-04-01 239 Amazon Route 53 Developer Guide Viewing Traffic Policy Versions and the Associated Policy Records b. c. d. 3. 4. 5. 6. 7. Choose Create traffic policy. On the Name policy page, specify the applicable values. For more information, see Values that You Specify When You Create a Traffic Policy (p. 236). Skip to step 4. To create a new version of an existing traffic policy by importing a JSON document, perform the following steps: a. b. c. In the navigation pane, choose Traffic policies. Choose the name of the traffic policy that you want to base the new version on. In the Traffic policy versions table, select the check box for the version that you want to base the new version on. d. e. f. Choose Edit policy as new version. On the Update description page, type a description for the new version. Skip to step 4. Choose Next. Choose Import traffic policy. Type a new traffic policy, paste an example traffic policy, or paste an existing traffic policy. Choose Import traffic policy. Viewing Traffic Policy Versions and the Associated Policy Records You can view all of the versions that you've created for a traffic policy as well as all of the policy records that you've created by using each of the versions of the traffic policy. To view traffic policy versions and the associated policy records 1. 2. 3. 4. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Traffic policies. Choose the name of a traffic policy. The top table lists all of the versions that you've created of a traffic policy. The table includes the following information: Version number The number of each version of a traffic policy that you've created. If you choose the version number, the console displays the configuration for that version. Number of policy records The number of policy records that you've created by using this traffic policy version. DNS type The DNS type that you specified when you created the traffic policy version. Version description The description that you specified when you created the traffic policy version. 5. The bottom table lists all of the policy records that you've created by using the traffic policy versions in the top table. The table includes the following information: API Version 2013-04-01 240 Amazon Route 53 Developer Guide Deleting Traffic Policy Versions and Traffic Policies Policy record DNS name The DNS names that you've associated the traffic policy with. Status Possible values include the following: Applied Amazon Route 53 has finished creating or updating a policy record and the corresponding resource record sets. Creating Amazon Route 53 is creating the resource record sets for a new policy record. Updating You have updated a policy record and Amazon Route 53 is in the process of creating a new group of resource record sets that will replace the existing group of resource record sets for the specified DNS name. Deleting Amazon Route 53 is in the process of deleting a policy record and the associated resource record sets. Failed Amazon Route 53 wasn't able to create or update the policy record and the associated resource record sets. Version used Indicates the version of the traffic policy that you used to create the policy record. DNS type The DNS type of all of the resource record sets that Amazon Route 53 created for this policy record. When you edit a policy record, you must specify a traffic policy version that has the same DNS type as the DNS type for the policy record that you're editing. TTL (in seconds) The amount of time, in seconds, that you want DNS recursive resolvers to cache information about this resource record set. If you specify a longer value (for example, 172800 seconds, or two days), you pay less for Amazon Route 53 service because recursive resolvers send requests to Amazon Route 53 less often. However, it takes longer for changes to the resource record sets (for example, a new IP address) to take effect because recursive resolvers use the values in their cache for longer periods instead of asking Amazon Route 53 for the latest information. Deleting Traffic Policy Versions and Traffic Policies To delete a traffic policy, you must delete all of the versions (including the original) that you've created for the traffic policy. In addition, to delete a traffic policy version, you must delete all of the policy records that you created by using the traffic policy version. Caution If you delete policy records that Amazon Route 53 is using to respond to DNS queries, Amazon Route 53 will stop responding to queries for the corresponding DNS names. For example, if Amazon Route 53 is using the policy record for www.example.com to respond to DNS queries for www.example.com and you delete the policy record, your users will not be able to access your website or web application by using the domain name www.example.com. To delete traffic policy versions and, optionally, a traffic policy, perform the following procedure: To delete traffic policy versions and a traffic policy 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Traffic policies. API Version 2013-04-01 241 Amazon Route 53 Developer Guide Creating and Managing Policy Records 3. 4. Choose the name of the traffic policy for which you want to delete traffic policy versions and that, optionally, you want to delete completely. If the traffic policy versions that you want to delete in the top table appear in the Version used column in the bottom table, select the check boxes for the corresponding policy records in the bottom table. For example, if you want to delete version 3 of a traffic policy but you created one of the policy records in the bottom table by using version 3, select the check box for that policy record. 5. 6. Choose Delete policy records. Choose the refresh button for the bottom table to refresh the display until the policy records that you deleted no longer appear in the table. 7. 8. 9. In the top table, select the check boxes for the traffic policy versions that you want to delete. Choose Delete version. If you deleted all traffic policy versions in the preceding step and you want to delete the traffic policy, too, choose the refresh button for the top table to refresh the display until the table is empty. 10. In the navigation pane, choose Traffic policies. 11. In the list of traffic policies, select the check box for the traffic policy that you want to delete. 12. Choose Delete traffic policy. Creating and Managing Policy Records You create policy records to apply the configuration that you created in a traffic policy to one or more domain names or subdomain names. Topics • Creating Policy Records (p. 242) • Values that You Specify When You Create or Update a Policy Record (p. 243) • Updating Policy Records (p. 243) • Deleting Policy Records (p. 244) Creating Policy Records To create a policy record, perform the following procedure. Important For each policy record that you create, you incur a monthly charge. If you later delete the policy record, the charge is prorated. For more information, see Amazon Route 53 Pricing. To create a policy record 1. 2. 3. 4. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Policy records. 5. On the Policy records page, choose Create policy records. On the Create policy records page, specify the applicable values. For more information, see Values that You Specify When You Create or Update a Policy Record (p. 243). Choose Create policy records. 6. If you want to create policy records in another hosted zone, repeat steps 3 through 5. API Version 2013-04-01 242 Amazon Route 53 Developer Guide Values that You Specify When You Create or Update a Policy Record Values that You Specify When You Create or Update a Policy Record When you create or update a policy record, you specify the following values • Traffic policy • Version • Hosted zone • Policy record DNS name • TTL Traffic policy Choose the traffic policy whose configuration you want to use for this policy record. Version Choose the version of the traffic policy whose configuration you want to use for this policy record. If you're updating an existing policy record, you must choose a version for which the DNS type matches the current DNS type of the policy record. For example, if the DNS type of the policy record is A, you must choose a version for which the DNS type is A. Hosted zone Choose the hosted zone in which you want to create a policy record by using the specified traffic policy and version. You can't change the value of Hosted zone after you create a policy record. Policy record DNS name When you're creating a policy record, type the domain name or subdomain name for which you want Amazon Route 53 to respond to DNS queries by using the configuration in the specified traffic policy and version. To use the same configuration for more than one domain name or subdomain name in the specified hosted zone, choose Add another policy record, and enter the applicable domain name or subdomain name and TTL. You can't change the value of Policy record DNS name after you create a policy record. TTL (in seconds) Type the amount of time, in seconds, that you want DNS recursive resolvers to cache information about this resource record set. If you specify a longer value (for example, 172800 seconds, or two days), you pay less for Amazon Route 53 service because recursive resolvers send requests to Amazon Route 53 less often. However, it takes longer for changes to the resource record sets (for example, a new IP address) to take effect because recursive resolvers use the values in their cache for longer periods instead of asking Amazon Route 53 for the latest information. Updating Policy Records To update the settings in a policy record, perform the following procedure. To update a policy record 1. 2. 3. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Policy records. On the Policy records page, select the check box for the policy record that you want to update, and choose Edit policy record. API Version 2013-04-01 243 Amazon Route 53 Developer Guide Deleting Policy Records 4. 5. 6. On the Edit policy record page, specify the applicable values. For more information, see Values that You Specify When You Create or Update a Policy Record (p. 243). Choose Edit policy record. If you want to update another policy record, repeat steps 3 through 5. Deleting Policy Records To delete policy records, perform the following procedure. Caution If you delete policy records that Amazon Route 53 is using to respond to DNS queries, Amazon Route 53 will stop responding to queries for the corresponding DNS names. For example, if Amazon Route 53 is using the policy record for www.example.com to respond to DNS queries for www.example.com and you delete the policy record, your users will not be able to access your website or web application by using the domain name www.example.com. To delete a policy record 1. 2. 3. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Policy records. On the Policy records page, select the check boxes for the policy records that you want to delete, and choose Delete policy record. API Version 2013-04-01 244 Amazon Route 53 Developer Guide Creating, Updating, and Deleting Health Checks Amazon Route 53 Health Checks and DNS Failover Amazon Route 53 health checks monitor the health and performance of your web applications, web servers, and other resources. At regular intervals that you specify, Amazon Route 53 submits automated requests over the Internet to your application, server, or other resource to verify that it's reachable, available and functional. You can configure a health check to make requests similar to those that your users make, such as requesting a web page from a specific URL. You can also view the current and recent status of health checks. If you want to receive a notification when an application or a resource becomes unavailable, you can configure an Amazon CloudWatch alarm for each health check. For information about creating health checks, see Creating, Updating, and Deleting Health Checks (p. 245). For information about viewing health check status and receiving notifications, see Monitoring Health Check Status and Getting Notifications (p. 255). If you have multiple resources that perform the same function, for example, web servers or email servers, and you want Amazon Route 53 to route traffic only to the resources that are healthy, you can configure DNS failover by associating health checks with your resource record sets. If a health check determines that the underlying resource is unhealthy, Amazon Route 53 routes traffic away from the associated resource record set. For more information, see Configuring DNS Failover (p. 261). Topics • • • • Creating, Updating, and Deleting Health Checks (p. 245) Monitoring Health Check Status and Getting Notifications (p. 255) Configuring DNS Failover (p. 261) Naming and Tagging Health Checks (p. 275) • Using Health Checks with Amazon Route 53 API Versions Earlier than 2012-12-12 (p. 276) Creating, Updating, and Deleting Health Checks The procedures in the following topics explain how to create, update, and delete Amazon Route 53 health checks. API Version 2013-04-01 245 Amazon Route 53 Developer Guide Creating and Updating Health Checks Important If you're updating or deleting health checks that are associated with resource record sets, review the tasks in Updating or Deleting Health Checks when DNS Failover Is Configured (p. 253) before you proceed. Topics • Creating and Updating Health Checks (p. 246) • Deleting Health Checks (p. 253) • Updating or Deleting Health Checks when DNS Failover Is Configured (p. 253) • Configuring Router and Firewall Rules for Amazon Route 53 Health Checks (p. 254) • How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254) Creating and Updating Health Checks The following procedure describes how to create and update health checks using the Amazon Route 53 console. For information about creating health checks using the API, see POST CreateHealthCheck in the Amazon Route 53 API Reference. For information about updating health checks using the API, see POST UpdateHealthCheck, also in the Amazon Route 53 API Reference. Note Health checks are supported starting with the 2012-12-12 version of the Amazon Route 53 API. To create or update a health check using the Amazon Route 53 console 1. 2. 3. 4. 5. 6. 7. If you're updating health checks that are associated with resource record sets, perform the recommended tasks in Updating or Deleting Health Checks when DNS Failover Is Configured (p. 253). Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Health Checks. If you want to update an existing health check, select the health check, and then choose Edit Health Check. If you want to create a health check, choose Create Health Check. For more information about each setting, move the mouse pointer over a label to see its tooltip. Enter the applicable values. Note that some values can't be changed after you create a health check. For more information, see Values that You Specify When You Create or Update Health Checks (p. 246). Choose Create Health Check. Associate the health check with one or more Amazon Route 53 resource record sets. For information about creating and updating resource record sets, see Working with Resource Record Sets (p. 178). Values that You Specify When You Create or Update Health Checks When you create or update health checks, you specify the applicable values. Note that you can't change some values after you create a health check. Topics • Monitoring an Endpoint (p. 247) • Monitoring Other Health Checks (Calculated Health Checks) (p. 249) • Monitoring a CloudWatch Alarm (p. 250) API Version 2013-04-01 246 Amazon Route 53 Developer Guide Creating and Updating Health Checks • Advanced Configuration ("Monitor an endpoint" Only) (p. 250) • Get Notified When a Health Check Fails (p. 252) • Values that Amazon Route 53 Displays (p. 253) Name Optional, but recommended: The name that you want to assign to the health check. If you specify a value for Name, Amazon Route 53 adds a tag to the health check, assigns the value Name to the tag key, and assigns the value that you specify to the tag value. The value of the Name tag appears in the list of health checks in the Amazon Route 53 console, which lets you easily distinguish health checks from one another. For more information about tagging and health checks, see Naming and Tagging Health Checks (p. 275). What to monitor Whether you want this health check to monitor an endpoint or the status of other health checks: • Endpoint – Amazon Route 53 monitors the health of an endpoint that you specify.You can specify the endpoint by providing either a domain name or an IP address and a port. Note If you specify a non-AWS endpoint, an additional charge applies. For more information, including a definition of AWS endpoints, see Health Checks on the Amazon Route 53 Pricing page. • Status of other health checks (calculated health check) – Amazon Route 53 determines whether this health check is healthy based on the status of other health checks that you specify. You also specify how many of the health checks need to be healthy for this health check to be considered healthy. • State of CloudWatch alarm – Amazon Route 53 determines whether this health check is healthy based on the alarm state of a CloudWatch alarm. Monitoring an Endpoint If you want this health check to monitor an endpoint, specify the following values: • • • • • Specify endpoint by Protocol IP address Host name Port • Domain name • Path Specify endpoint by Whether you want to specify the endpoint using an IP address or using a domain name. After you create a health check, you can't change the value of Specify endpoint by. Protocol The method that you want Amazon Route 53 to use to check the health of your endpoint: • HTTP – Amazon Route 53 tries to establish a TCP connection. If successful, Amazon Route 53 submits an HTTP request and waits for an HTTP status code of 200 or greater and less than 400. • HTTPS – Amazon Route 53 tries to establish a TCP connection. If successful, Amazon Route 53 submits an HTTPS request and waits for an HTTP status code of 200 or greater and less than 400. API Version 2013-04-01 247 Amazon Route 53 Developer Guide Creating and Updating Health Checks Important If you choose HTTPS, the endpoint must support TLS v1.0 or later. If you choose HTTPS for the value of Protocol, an additional charge applies. For more information, see Amazon Route 53 Pricing. • TCP – Amazon Route 53 tries to establish a TCP connection. For more information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). After you create a health check, you can't change the value of Protocol. IP address ("Specify endpoint by IP address" Only) The IPv4 address of the endpoint on which you want Amazon Route 53 to perform health checks, if you chose Specify endpoint by IP address. Amazon Route 53 cannot check the health of endpoints for which the IP address is in local, private, nonroutable, or multicast ranges. For more information about IP addresses for which you cannot create health checks, see RFC 5735, Special Use IPv4 Addresses and RFC 6598, IANA-Reserved IPv4 Prefix for Shared Address Space. If the endpoint is an Amazon EC2 instance, we recommend that you create an Elastic IP address, associate it with your Amazon EC2 instance, and specify the Elastic IP address. This ensures that the IP address of your instance will never change. For more information, see Elastic IP Addresses (EIP) in the Amazon EC2 User Guide for Linux Instances. Note If you specify a non-AWS endpoint, an additional charge applies. For more information, including a definition of AWS endpoints, see Health Checks on the Amazon Route 53 Pricing page. Host name ("Specify endpoint by IP address" Only, HTTP and HTTPS Protocols Only) The value that you want Amazon Route 53 to pass in the Host header in HTTP and HTTPS health checks. This is typically the fully qualified DNS name of the website on which you want Amazon Route 53 to perform health checks. When Amazon Route 53 checks the health of an endpoint, here is how it constructs the Host header: • If you specify a value of 80 for Port and HTTP for Protocol, Amazon Route 53 passes to the endpoint a Host header that contains the value of Host name. • If you specify a value of 443 for Port and HTTPS for Protocol, Amazon Route 53 passes to the endpoint a Host header that contains the value of Host name. • If you specify another value for Port and either HTTP or HTTPS for Protocol, Amazon Route 53 passes to the endpoint a Host header that contains the value Host name:Port. If you choose to specify the endpoint by IP address and you don't specify a value for Host name, Amazon Route 53 substitutes the value of IP address in the Host header in each of the preceding cases. Port The port on the endpoint on which you want Amazon Route 53 to perform health checks. Domain name ("Specify endpoint by domain name" Only, All Protocols) The domain name of the endpoint on which you want Amazon Route 53 to perform health checks, if you choose Specify endpoint by domain name. If you choose to specify the endpoint by domain name, Amazon Route 53 sends a DNS request to resolve the domain name that you specify in Domain name at the interval you specify in Request interval. Using an IP address that DNS returns, Amazon Route 53 then checks the health of the endpoint. If you want to check the health of weighted, latency, geolocation routing, or failover resource record sets, and you choose to specify the endpoint by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each HTTP server API Version 2013-04-01 248 Amazon Route 53 Developer Guide Creating and Updating Health Checks that is serving content for www.example.com. For the value of Domain name, specify the domain name of the server (such as us-east-1-www.example.com), not the name of the resource record sets (www.example.com). Important In this configuration, if you create a health check for which the value of Domain name matches the name of the resource record sets and then associate the health check with those resource record sets, health check results will be unpredictable. In addition, if the value of Protocol is HTTP or HTTPS, Amazon Route 53 passes the value of Domain name in the Host header as described in Host name, earlier in this list. If the value of Protocol is TCP, Amazon Route 53 doesn't pass a Host header. Note If you specify a non-AWS endpoint, an additional charge applies. For more information, including a definition of AWS endpoints, see Health Checks on the Amazon Route 53 Pricing page. Path (HTTP and HTTPS Protocols Only) The path that you want Amazon Route 53 to request when performing health checks. The path can be any value for which your endpoint will return an HTTP status code of 2xx or 3xx when the endpoint is healthy, such as the file /docs/route53-health-check.html. Amazon Route 53 automatically adds a leading / character. Monitoring Other Health Checks (Calculated Health Checks) If you want this health check to monitor the status of other health checks, specify the following values: • Health checks to monitor • Report healthy when • Invert health check status Health checks to monitor The health checks that you want Amazon Route 53 to monitor to determine the health of this health check. You can add up to 256 health checks to Health checks to monitor. To remove a health check from the list, choose the x at the right end of the highlight for that health check. Note You can't configure a calculated health check to monitor the health of other calculated health checks. Report healthy when The calculation that you want Amazon Route 53 to perform to determine whether this health check is healthy: • Report healthy when at least x of y selected health checks are healthy – Amazon Route 53 considers this health check to be healthy when the specified number of health checks that you added to Health checks to monitor are healthy. Note the following: • If you specify a number greater than the number of health checks in Health checks to monitor, Amazon Route 53 always considers this health check to be unhealthy. • If you specify 0, Amazon Route 53 always considers this health check to be healthy. • Report healthy when all health checks are healthy (AND) – Amazon Route 53 considers this health check to be healthy only when all of the health checks that you added to Health checks to monitor are healthy. • Report healthy when one or more health checks are healthy (OR) – Amazon Route 53 considers this health check to be healthy when at least one of the health checks that you added to Health checks to monitor is healthy. API Version 2013-04-01 249 Amazon Route 53 Developer Guide Creating and Updating Health Checks Invert health check status Choose whether you want Amazon Route 53 to invert the status of a health check. If you choose this option, Amazon Route 53 considers health checks to be unhealthy when the status is healthy and vice versa. Monitoring a CloudWatch Alarm If you want this health check to monitor the alarm state of a CloudWatch alarm, specify the following values: • CloudWatch alarm • Health check status • Invert health check status CloudWatch alarm Choose the CloudWatch alarm that you want Amazon Route 53 to use to determine whether this health check is healthy. If you want to create a new alarm, perform the following steps: 1. 2. 3. 4. 5. Choose create, and the CloudWatch console appears in a new browser tab. Enter the applicable values. For more information, see Create an alarm in the Amazon CloudWatch Developer Guide. Return to the browser tab that the Amazon Route 53 console appears in. Choose the refresh button next to the CloudWatch alarm list. Choose the new alarm from the list. Health check status Choose the status of the health check when CloudWatch has insufficient data to determine the state of the alarm that you chose in CloudWatch alarm. If you choose to use the last known status, Amazon Route 53 uses the status of the health check from the last time CloudWatch had sufficient data to determine the alarm state. For new health checks that have no last known status, the default status for the health check is healthy. Invert health check status Choose whether you want Amazon Route 53 to invert the status of a health check. If you choose this option, Amazon Route 53 considers health checks to be unhealthy when the status is healthy and vice versa. Advanced Configuration ("Monitor an endpoint" Only) If you choose the option to monitor an endpoint, you can also specify the following settings: • Request interval • Failure threshold • String matching • Search string • • • • Latency graphs Enable SNI Health checker regions Invert health check status API Version 2013-04-01 250 Amazon Route 53 Developer Guide Creating and Updating Health Checks Request interval The number of seconds between the time that each Amazon Route 53 health checker gets a response from your endpoint and the time that it sends the next health check request. If you choose an interval of 30 seconds, each of the Amazon Route 53 health checkers in data centers around the world will send your endpoint a health check request every 30 seconds. On average, your endpoint will receive a health check request about every two seconds. If you choose an interval of 10 seconds, the endpoint will receive a request more than once per second. Note that Amazon Route 53 health checkers in different data centers don't coordinate with one another, so you'll sometimes see several requests per second regardless of the interval you chose, followed by a few seconds with no health checks at all. After you create a health check, you can't change the value of Request interval. Note If you choose Fast (10 seconds) for the value of Request interval, an additional charge applies. For more information, see Amazon Route 53 Pricing. Failure threshold The number of consecutive health checks that an endpoint must pass or fail for Amazon Route 53 to change the current status of the endpoint from unhealthy to healthy or vice versa. For more information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). String matching (HTTP and HTTPS Only) Whether you want Amazon Route 53 to determine the health of an endpoint by submitting an HTTP or HTTPS request to the endpoint and searching the response body for a specified string. If the response body contains the value that you specify in Search string, Amazon Route 53 considers the endpoint healthy. If not, or if the endpoint doesn't respond, Amazon Route 53 considers the endpoint unhealthy. The search string must appear entirely within the first 5,120 bytes of the response body. After you create a health check, you can't change the value of String matching. Note If you choose Yes for the value of String matching, an additional charge applies. For more information, see Amazon Route 53 Pricing. Search string (Only When "String matching" Is Enabled) The string that you want Amazon Route 53 to search for in the body of the response from your endpoint. The maximum length is 255 characters. Amazon Route 53 considers case when searching for Search string in the response body. Latency graphs Choose whether you want Amazon Route 53 to measure the latency between health checkers in multiple AWS regions and your endpoint and to display Amazon CloudWatch latency graphs on the Latency tab on the Health checks page in the Amazon Route 53 console. If Amazon Route 53 health checkers can't connect to the endpoint, Amazon Route 53 can't display latency graphs for that endpoint. After you create a health check, you can't change the value of Latency measurements. Note If you configure Amazon Route 53 to measure the latency between health checkers and your endpoint, an additional charge applies. For more information, see Amazon Route 53 Pricing. Enable SNI (HTTPS Only) Specify whether you want Amazon Route 53 to send the host name to the endpoint in the client_hello message during TLS negotiation. This allows the endpoint to respond to the HTTPS request with the applicable SSL/TLS certificate. Some endpoints require that HTTPS requests include the host name in the client_hello message. If you don't enable SNI, the status of the health check will be SSL alert handshake_failure. API Version 2013-04-01 251 Amazon Route 53 Developer Guide Creating and Updating Health Checks A health check can also have that status for other reasons. If SNI is enabled and you're still getting the error, check the SSL/TLS configuration on your endpoint and confirm that your certificate is valid. Note the following requirements: • The endpoint must support SNI. • The SSL/TLS certificate on your endpoint includes a domain name in the Common Name field and possibly several more in the Subject Alternative Names field. One of the domain names in the certificate must match the value that you specify for Host name. Health checker regions Choose whether you want Amazon Route 53 to check the health of the endpoint by using health checkers in the recommended regions or by using health checkers in regions that you specify. If you update a health check to remove a region that has been performing health checks, Amazon Route 53 will briefly continue to perform checks from that region to ensure that some health checkers are always checking the endpoint (for example, if you replace three regions with four different regions). If you choose Customize, choose the x for a region to remove it. Click the space at the bottom of the list to add a region back to the list. You must specify at least three regions. Invert health check status Choose whether you want Amazon Route 53 to invert the status of a health check. If you choose this option, Amazon Route 53 considers health checks to be unhealthy when the status is healthy and vice versa. Get Notified When a Health Check Fails Use the following options to configure email notification when a health check fails: • • • • Create alarm Send notification to Topic name Recipient email addresses Create alarm (Only When Creating Health Checks) Specify whether you want to create a default CloudWatch alarm. If you choose Yes, CloudWatch sends you an Amazon SNS notification when the status of this endpoint changes to unhealthy and Amazon Route 53 considers the endpoint unhealthy for one minute. If you want to create an alarm for an existing health check or you want to receive notifications when Amazon Route 53 considers the endpoint unhealthy for more or less than one minute (the default value), select No, and add an alarm after you create the health check. For more information, see Monitoring Health Checks Using CloudWatch (p. 257). Send notification to (Only When Creating an Alarm) Specify whether you want CloudWatch to send notifications to an existing Amazon SNS topic or to a new one: • Existing SNS topic – Select the name of the topic from the list • New SNS topic – Enter a name for the topic in Topic name, and enter the email addresses that you want to send notifications to in Recipients Topic name (Only When Creating a New SNS Topic) If you specified New SNS Topic, enter the name of the new topic. Recipient email addresses (Only When Creating a New SNS Topic) If you specified New SNS topic, enter the email addresses that you want to send notifications to. Separate multiple names with commas (,), semicolons (;), or spaces. API Version 2013-04-01 252 Amazon Route 53 Developer Guide Deleting Health Checks Values that Amazon Route 53 Displays The Create Health Check page displays the following values based on the values that you entered: URL Either the full URL (for HTTP or HTTPS health checks) or the IP address and port (for TCP health checks) to which Amazon Route 53 will send requests when performing health checks. Health Check Type Either Basic or Basic + additional options based on the settings that you specified for this health check. For information about pricing for the additional options, see Amazon Route 53 Pricing. Deleting Health Checks To delete health checks, perform the following procedure. To delete a health check using the Amazon Route 53 console 1. 2. 3. 4. 5. 6. If you're deleting health checks that are associated with resource record sets, perform the recommended tasks in Updating or Deleting Health Checks when DNS Failover Is Configured (p. 253). Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Health Checks. In the right pane, select the health check that you want to delete. Choose Delete Health Check. Choose Yes, Delete to confirm. Updating or Deleting Health Checks when DNS Failover Is Configured When you want to update or delete health checks that are associated with resource record sets, or you want to change resource record sets that have associated health checks, you must consider how your changes affect routing of DNS queries and your DNS failover configuration. Caution Amazon Route 53 does not prevent you from deleting a health check even if the health check is associated with one or more resource record sets. If you delete a health check and you don't update the associated resource record sets, the future status of the health check cannot be predicted and might change. This will affect the routing of DNS queries for your DNS failover configuration. To update or delete health checks that are already associated with resource record sets, we recommend that you perform the following tasks: 1. Identify the resource record sets that are associated with the health checks. To identify the resource record sets that are associated with a health check, you must do one of the following: • Review the resource record sets in each hosted zone using the Amazon Route 53 console. For more information, see Listing Resource Record Sets (p. 233). • Run the GET ListResourceRecordSets API action on each hosted zone and review the response. For more information, see GET ListResourceRecordSets in the Amazon Route 53 API Reference. API Version 2013-04-01 253 Amazon Route 53 Developer Guide Configuring Router and Firewall Rules for Amazon Route 53 Health Checks 2. Assess the change in behavior that will result from updating or deleting health checks, or from updating resource record sets, and determine which changes to make. For more information, see the following topics: • What Happens When You Omit Health Checks? (p. 267) • Configuring Active-Passive Failover by Using Amazon Route 53 Failover and Failover Alias Resource Record Sets (p. 273) 3. Change health checks and resource record sets as applicable. For more information, see the following topics: • Creating and Updating Health Checks (p. 246) • Editing Resource Record Sets (p. 232) 4. Delete the health checks that you're no longer using, if any. For more information about deleting health checks using the console, see Deleting Health Checks (p. 253). For information about using the Amazon Route 53 API, see DELETE DeleteHealthCheck in the Amazon Route 53 API Reference. Configuring Router and Firewall Rules for Amazon Route 53 Health Checks When Amazon Route 53 checks the health of an endpoint, it sends an HTTP, HTTPS, or TCP request to the IP address and port that you specified when you created the health check. For a health check to succeed, your router and firewall rules must allow inbound traffic from the IP addresses that the Amazon Route 53 health checkers use. (In Amazon EC2, security groups act as firewalls. For more information, see Amazon EC2 Security Groups in the Amazon EC2 User Guide for Linux Instances.) For the current list of IP addresses for Amazon Route 53 health checkers, see Forum Announcements at the top of the Amazon Route 53 forum. You can also get the IP addresses of Amazon Route 53 health checkers using the Amazon Route 53 API. For more information, see GET GetCheckerIpRanges in the Amazon Route 53 API Reference. How Amazon Route 53 Determines Whether an Endpoint Is Healthy Amazon Route 53 determines whether the endpoint associated with a health check is healthy based on response time and on the number of failed or passed health checks: • HTTP and HTTPS health checks – Amazon Route 53 must be able to establish a TCP connection with the endpoint within four seconds. In addition, the endpoint must respond with an HTTP status code of 200 or greater and less than 400 within two seconds after connecting. • TCP health checks – Amazon Route 53 must be able to establish a TCP connection with the endpoint within ten seconds. • HTTP and HTTPS health checks with string matching – As with HTTP and HTTPS health checks, Amazon Route 53 must be able to establish a TCP connection with the endpoint within four seconds, and the endpoint must respond with an HTTP status code of 200 or greater and less than 400 within two seconds after connecting. After an Amazon Route 53 health checker receives the HTTP status code, it must receive the response body from the endpoint within the next two seconds. Amazon Route 53 searches the response body for a string that you specify. The string must appear entirely in the first 5120 bytes of the response body or the endpoint fails the health check. If you're using the Amazon Route 53 console, you specify the API Version 2013-04-01 254 Amazon Route 53 Developer Guide Monitoring Health Check Status and Getting Notifications string in the Search String field. If you're using the Amazon Route 53 API, you specify the string in the SearchString element when you create the health check. • Calculated health checks – For health checks that monitor the status of other health checks, Amazon Route 53 adds up the number of health checks that Amazon Route 53 health checkers consider to be healthy. It then compares that number with the number of child health checks that must be healthy for the status of the health check to be considered healthy. • Health checks based on the state of CloudWatch alarms – If the state of a CloudWatch alarm is OK, the health check is considered healthy. If the state is Alarm, the health check is considered unhealthy. If CloudWatch doesn't have sufficient data to determine whether the state is OK or Alarm, the health check status depends on the setting for Health check status: healthy, unhealthy, or last known status. (In the Amazon Route 53 API, this setting is InsufficientDataHealthStatus.) For more information, see Creating, Updating, and Deleting Health Checks (p. 245). When you create a health check, here's what happens: 1. 2. 3. 4. Amazon Route 53 propagates the health check configuration to the servers that perform health checks in AWS data centers around the world. A health-checking application (a health checker) in each data center sends a request to the endpoint that you specify at the request interval that you specify: every 10 seconds or every 30 seconds. The request interval is the number of seconds between the time that Amazon Route 53 gets a response from your endpoint and the time that it sends the next health-check request. When the endpoint either passes or fails a consecutive number of health checks that you specify (the failure threshold), Amazon Route 53 updates the health status of the endpoint. Thereafter, the health status of an endpoint changes from healthy to unhealthy (or vice versa) after it fails (or passes) the same number of consecutive checks. Each Amazon Route 53 health checker propagates the results of its health checks to Amazon Route 53 DNS servers worldwide. If more than 18% of available health checkers report that an endpoint is healthy, Amazon Route 53 responds to queries using the associated resource record sets when applicable. If 18% of health checkers or fewer report that an endpoint is healthy, Amazon Route 53 typically does not respond to queries using the associated resource record sets. The 18% value might change in a future release. Monitoring Health Check Status and Getting Notifications You monitor the status of your health checks on the Amazon Route 53 console. You can also set CloudWatch alarms and get automated notifications when the status of your health check status changes. Topics • Viewing Health Check Status and the Reason for Health Check Failures (p. 255) • Monitoring the Latency Between Health Checkers and Your Endpoint (p. 256) • Monitoring Health Checks Using CloudWatch (p. 257) Viewing Health Check Status and the Reason for Health Check Failures On the Amazon Route 53 console, you can view the status (healthy or unhealthy) of your health checks as reported by Amazon Route 53 health checkers. For all health checks except calculated health checks, API Version 2013-04-01 255 Amazon Route 53 Developer Guide Monitoring the Latency Between Health Checkers and Your Endpoint you can also view the reason for the last health check failure, for example, health checkers were unable to establish a connection with the endpoint. To view the status and last failure reason for a health check (console) 1. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. 2. 3. In the navigation pane, choose Health Checks. For an overview of the status of all of your health checks—healthy or unhealthy—view the Status column. For more information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). For all health checks except calculated health checks, you can view the status of the Amazon Route 53 health checkers that are checking the health of a specified endpoint. Select the health check. In the bottom pane, choose the Health Checkers tab. 4. 5. Note New health checks must propagate to Amazon Route 53 health checkers before the health check status and last failure reason appear in the Status column. Until propagation has finished, the message in that column explains that no status is available. 6. Choose whether you want to view the current status of the health check, or view the date and time of the last failure and the reason for the failure. The table on the Status tab includes the following values: Health checker IP The IP address of the Amazon Route 53 health checker that performed the health check. Last checked The date and time of the health check or the date and time of the last failure, depending on the option that you select at the top of the Status tab. Status Either the current status of the health check or the reason for the last health check failure, depending on the option that you select at the top of the Status tab. Monitoring the Latency Between Health Checkers and Your Endpoint When you create a health check, if you choose to monitor the status of an endpoint (not the status of other health checks) and you choose the Latency graphs option, you can view the following values on CloudWatch graphs on the Amazon Route 53 console: • The average time, in milliseconds, that it took Amazon Route 53 health checkers to establish a TCP connection with the endpoint • The average time, in milliseconds, that it took Amazon Route 53 health checkers to receive the first byte of the response to an HTTP or HTTPS request • The average time, in milliseconds, that it took Amazon Route 53 health checkers to complete the SSL handshake Note You can't enable latency monitoring for existing health checks. API Version 2013-04-01 256 Amazon Route 53 Developer Guide Monitoring Health Checks Using CloudWatch To view the latency between Amazon Route 53 health checkers and your endpoint (console) 1. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. 2. 3. 4. In the navigation pane, choose Health Checks. Select the rows for the applicable health checks. You can view latency data only for health checks that monitor the status of an endpoint and for which the Latency graphs option is enabled. In the bottom pane, choose the Latency tab. 5. Choose the time range and the geographic region for which you want to display latency graphs. The graphs display the status for the specified time range: TCP connection time (HTTP and TCP only) The average time, in milliseconds, that it took Amazon Route 53 health checkers in the selected geographic region to establish a TCP connection with the endpoint. Time to first byte (HTTP and HTTPS only) The average time, in milliseconds, that it took Amazon Route 53 health checkers in the selected geographic region to receive the first byte of the response to an HTTP or HTTPS request. Time to complete SSL handshake (HTTPS only) The average time, in milliseconds, that it took Amazon Route 53 health checkers in the selected geographic region to complete the SSL handshake. Note If you select more than one health check, the graph displays a separate color-coded line for each health check. 6. To view a larger graph and specify different settings, click the graph. You can change the following settings: Statistic Changes the calculation that CloudWatch performs on the data. Time range Displays the status of a health check over a different period, for example, overnight or last week. Period Changes the interval between data points in the graph. Note the following: • If you just created a health check, you might need to wait for a few minutes for data to appear in the graph and for the health check metric to appear in the list of available metrics. • The graph doesn't refresh itself automatically. To update the display, choose the refresh ( ) icon. • If health checks are failing for some reason, such as a connection timeout, Amazon Route 53 can't measure latency, and latency data will be missing from the graph for the affected period. Monitoring Health Checks Using CloudWatch Amazon Route 53 health checks integrate with CloudWatch metrics so that you can do the following: • Verify that a health check is properly configured. • Review the status of a health check over a specified period of time. API Version 2013-04-01 257 Amazon Route 53 Developer Guide Monitoring Health Checks Using CloudWatch • Configure CloudWatch to send an Amazon Simple Notification Service (Amazon SNS) alert when the status of a health check is unhealthy. Note that several minutes might elapse between the time that a health check fails and the time that you receive the associated Amazon SNS notification. CloudWatch metrics are retained for two weeks. For more information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). • To view the status of a health check (console) (p. 258) • To receive an Amazon SNS notification when a health check status is unhealthy (console) (p. 259) • To view CloudWatch alarm status and edit alarms for Amazon Route 53 (console) (p. 260) • To view Amazon Route 53 metrics on the CloudWatch console (p. 261) To view the status of a health check (console) 1. 2. 3. 4. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Health Checks. Choose the rows for the applicable health checks. In the bottom pane, choose the Monitoring tab. The two graphs display the status for the last hour in one-minute intervals: Health check status The graph shows the Amazon Route 53 assessment of endpoint health. 1 indicates healthy and 0 indicates unhealthy. Health checkers that report the endpoint healthy (%) For all health checks except calculated health checks, the graph shows the percentage of Amazon Route 53 health checkers that consider the selected endpoint to be healthy. Number of healthy child health checks For calculated health checks only, the graph shows the number of child health checks for which the status is healthy. Note If you selected more than one health check, the graph displays a separate color-coded line for each health check. 5. To view a larger graph and specify different settings, click the graph. You can change the following settings: Statistic Changes the calculation that CloudWatch performs on the data. Time range Displays the status of a health check over a different period, for example, overnight or last week. Period Changes the interval between data points in the graph. Note the following: • If you just created a health check, you might need to wait for a few minutes for data to appear in the graph and for the health check metric to appear in the list of available metrics. • The graph doesn't refresh itself automatically. To update the display, choose the refresh ( ) icon. API Version 2013-04-01 258 Amazon Route 53 Developer Guide Monitoring Health Checks Using CloudWatch To receive an Amazon SNS notification when a health check status is unhealthy (console) 1. In the navigation pane of the Amazon Route 53 console, choose Health Checks. 2. 3. Choose the row for the applicable health check. In the bottom pane, choose the Alarms tab. 4. 5. The table lists the alarms that you've already created for this health check. Choose Create Alarm. Specify the following values: Alarm name Type the name that you want to see in the Name column in the table. Alarm description (Optional) Type a description of the alarm. Send notification Choose whether you want Amazon Route 53 to send you notification if the status of this health check triggers an alarm. Notification target (Only when "Send notification" is "Yes") If you want CloudWatch to send notification to an existing Amazon SNS topic, choose the topic from the list. If you want CloudWatch to send notification but not to an existing Amazon SNS topic, do one of the following: • If you want CloudWatch to send email notification – Choose New SNS topic and continue with this procedure. • If you want CloudWatch to send notification by another method – Open a new browser tab, go to the Amazon SNS console, and create the new topic. Then return to the Amazon Route 53 console, choose the name of the new topic from the Notification target list, and continue with this procedure. Topic name (Only when you choose to create a new Amazon SNS topic) Type a name for the new Amazon SNS topic. Recipient email addresses (Only when you choose to create a new Amazon SNS topic) Type the email address that you want Amazon Route 53 to send an Amazon SNS notification to when a health check triggers an alarm. Alarm target Choose the value that you want Amazon Route 53 to evaluate for this health check: • Health check status – Amazon Route 53 health checkers report that the health check is healthy or unhealthy • Health checkers that report the endpoint healthy (%) (all health checks except calculated health checks) – The percentage of Amazon Route 53 health checkers that report that the status of the health check is healthy • Number of healthy child health checks (calculated health checks only) – The number of child health checks in a calculated health check that report that the status of the health check is healthy • TCP connection time (HTTP and TCP health checks only) – The time in milliseconds that it took Amazon Route 53 health checkers to establish a TCP connection with the endpoint • Time to complete SSL handshake (HTTPS health checks only) – The time in milliseconds that it took Amazon Route 53 health checkers to complete the SSL handshake • Time to first byte (HTTP and HTTPS health checks only) – The time in milliseconds that it took Amazon Route 53 health checkers to receive the first byte of the response to an HTTP or HTTPS request API Version 2013-04-01 259 Amazon Route 53 Developer Guide Monitoring Health Checks Using CloudWatch Alarm target For the alarm targets that are based on latency (TCP connection time, Time to complete SSL handshake, Time to first byte), choose whether you want CloudWatch to calculate latency for Amazon Route 53 health checkers in a specific region or for all regions (Global). Note that if you choose a region, Amazon Route 53 measures latency only twice per minute, and the number of samples will be smaller than if you choose all regions. As a result, outlying values are more likely. To prevent spurious alarm notifications, we recommend that you specify a larger number of consecutive periods that the health check must fail before CloudWatch sends you a notification. Fulfill condition Use the following settings to determine when CloudWatch should trigger an alarm: Alarm Target Recommended Con- Description dition Health check status Minimum < 1 Amazon Route 53 health checkers report when the endpoint is unhealthy. Health checkers that Average < desired report the endpoint percentage healthy (%) For health checks other than calculated health checks, Amazon Route 53 considers the status of a health check to be unhealthy when less than 18% of health checkers report that the status is healthy. Number of healthy child health checks Minimum < desired number of healthy child health checks The Minimum statistic returns the most conservative value and represents the worst-case scenario. TCP connection time Average > desired time in milliseconds Average is a more consistent value than other statistics. Time to complete SSL handshake Average > desired time in milliseconds Average is a more consistent value than other statistics. Time to first byte Average > desired time in milliseconds Average is a more consistent value than other statistics. For at least x consecutive periods of y minutes/hours/day Specify how many consecutive time periods that the specified value must meet the criteria before Amazon Route 53 sends notification. Then specify the length of the time period. 6. 7. When you choose Create, Amazon SNS sends you an email with information about the new Amazon SNS topic. In the email, choose Confirm subscription. You must confirm your subscription to begin receiving CloudWatch notifications. To view CloudWatch alarm status and edit alarms for Amazon Route 53 (console) 1. 2. 3. In the navigation pane of the Amazon Route 53 console, choose Health Checks. Choose the row for any health check. In the details pane (following x Health Checks Selected), choose the right caret ( ) icon. The CloudWatch Alarms list contains all of the Amazon Route 53 alarms that you have created using the current AWS account. API Version 2013-04-01 260 Amazon Route 53 Developer Guide Configuring DNS Failover The State column shows the current status of each alarm: OK CloudWatch has accumulated enough statistics from Amazon Route 53 health checks to determine that the endpoint doesn't meet the alarm threshold. INSUFFICIENT DATA CloudWatch hasn't accumulated enough statistics to determine whether the endpoint meets the alarm threshold. This is the initial state of a new alarm. ALARM CloudWatch has accumulated enough statistics from Amazon Route 53 health checks to determine that the endpoint meets the alarm threshold and to send notification to the specified email address. 4. To view or edit settings for an alarm, choose the name of the alarm. 5. To view an alarm in the CloudWatch console, which provides more detailed information about the alarm (for example, a history of updates to the alarm and changes in status), choose View in the More Options column for the alarm. To view all of the CloudWatch alarms that you have created using the current AWS account, including alarms for other AWS services, choose View All CloudWatch Alarms. To view all of the available CloudWatch metrics, including metrics that aren't currently being used by the current AWS account, choose View All CloudWatch Metrics. 6. 7. To view Amazon Route 53 metrics on the CloudWatch console 1. 2. 3. 4. Sign in to the AWS Management Console and open the CloudWatch console at https:// console.aws.amazon.com/cloudwatch/. Change the current region to US East (N. Virginia). Amazon Route 53 metrics are not available if you select any other region as the current region. In the navigation pane, choose Route 53. Under HealthCheckId, select the check boxes for the applicable metrics. Configuring DNS Failover When you have more than one resource performing the same function—for example, more than one HTTP server or mail server—you can configure Amazon Route 53 to check the health of your resources and respond to DNS queries using only the healthy resources. For example, suppose your website, example.com, is hosted on 10 servers, two each in five data centers around the world. You can configure Amazon Route 53 to check the health of those servers and to respond to DNS queries for example.com using only the servers that are currently healthy. You can set up a variety of failover configurations using Amazon Route 53 alias, weighted, latency, geolocation routing, and failover resource record sets: • Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Amazon Route 53 can detect that it's unhealthy and stop including it when responding to queries. • Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable. When responding to queries, Amazon Route 53 includes only the healthy primary resources. If all of the primary resources are unhealthy, Amazon Route 53 begins to include only the healthy secondary resources in response to DNS queries. API Version 2013-04-01 261 Amazon Route 53 Developer Guide How Health Checks Work in Simple Amazon Route 53 Configurations • Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 behaviors. Amazon Route 53 can check the health of your resources in both simple and complex configurations: • In all configurations, you create a group of resource record sets that all have the same name and type, for example, a group of weighted resource record sets for example.com for which the type is A. You then configure Amazon Route 53 to check the health of the corresponding resources. Amazon Route 53 responds to DNS queries based on the health of your resources. For more information, see How Health Checks Work in Simple Amazon Route 53 Configurations (p. 262). • In more complex configurations, you use a combination of alias resource record sets, including weighted alias, latency alias, geolocation alias, and failover alias resource record sets, to create a tree of resource record sets. As with a simple configuration, you configure Amazon Route 53 to check the health of your resources. However, you can also configure the alias resource record sets to respond to the status of alias targets and to skip to another branch in the tree if all of the alias targets in one branch are unhealthy. Complex configurations give you more control over how Amazon Route 53 responds to your requests. For example, you might use latency-based routing to select a region close to a user and use an ELB load balancer within each region to protect against the failure of a single endpoint or an availability zone. For more information, see How Health Checks Work in Complex Amazon Route 53 Configurations (p. 264). How Health Checks Work in Simple Amazon Route 53 Configurations The simplest configuration for which checking the health of your resources is useful is when you have two or more resources that are performing the same function. For example, you might have multiple Amazon EC2 servers running HTTP server software responding to requests for the example.com website. In Amazon Route 53, you create a group of resource record sets that have the same name and type, such as weighted resource record sets or latency resource record sets of type A.You create one resource record set for each resource, and you configure Amazon Route 53 to check the health of the corresponding resource. In this configuration, Amazon Route 53 chooses which resource record set will respond to a DNS query for example.com and bases the choice in part on the health of your resources. As long as all of the resources are healthy, Amazon Route 53 responds to queries using all of your example.com weighted resource record sets. When a resource becomes unhealthy, Amazon Route 53 responds to queries using only the healthy resource record sets for example.com. Here's an overview of how you configure Amazon Route 53 to check the health of your resources in this simple configuration and how Amazon Route 53 responds to queries based on the health of your resources: 1. You identify the resources whose health you want Amazon Route 53 to monitor. For example, you might want to monitor all of the HTTP servers that respond to requests for example.com. 2. You create health checks for your resources. A health check tells Amazon Route 53 how to send requests to the endpoint whose health you want to check: which protocol to use (HTTP, HTTPS, or TCP), which IP address and port to use, and, for HTTP/HTTPS health checks, a domain name and path. A common configuration is to create one health check for each resource and to use the same IP address for the health check endpoint as for the resource. If the IP address for your HTTP server is 192.0.2.117, you create a health check for which the IP address is 192.0.2.117. Note Amazon Route 53 cannot check the health of endpoints for which the IP address is in local, private, nonroutable, or multicast ranges. For more information about IP addresses for which API Version 2013-04-01 262 Amazon Route 53 Developer Guide How Health Checks Work in Simple Amazon Route 53 Configurations you cannot create health checks, see RFC 5735, Special Use IPv4 Addresses and RFC 6598, IANA-Reserved IPv4 Prefix for Shared Address Space. 3. 4. 5. For more information about creating health checks by using the Amazon Route 53 console, see Creating, Updating, and Deleting Health Checks (p. 245). For information about creating health checks by using the Route 53 API, see POST CreateHealthCheck in the Amazon Route 53 API Reference. You might need to configure router and firewall rules so that Amazon Route 53 can send regular requests to the endpoints that you specified in your health checks. For more information, see Configuring Router and Firewall Rules for Amazon Route 53 Health Checks (p. 254). You create a group of resource record sets for your resources, for example, a group of weighted resource record sets that all have a type of A. You associate the health checks that you created in step 2 with the corresponding resource record sets. When you're finished, your configuration looks similar to the following diagram: For more information about creating resource record sets by using the Amazon Route 53 console, see Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184). For information about creating resource record sets by using the Amazon Route 53 API, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. Amazon Route 53 periodically sends a request to each endpoint that you specified when you created your health checks; it doesn't perform the health check when it receives a DNS query. Based on the responses, Amazon Route 53 decides whether the endpoints are healthy and uses that information to determine how to respond to queries. For more information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). Important Amazon Route 53 doesn't check the health of the resource specified in the resource record set, such as the IP address specified in an A record for example.com. When you associate a health check with a resource record set, Amazon Route 53 begins to check the health of the endpoint that you specified in the health check. 6. Here's what happens when Amazon Route 53 receives a query for example.com: a. b. c. d. Amazon Route 53 chooses a resource record set based on the routing policy. In this case, it chooses a resource record set based on weight. It determines the current health of the selected resource record set by checking the status of the health check for that resource record set. If the selected resource record set is unhealthy, it repeats the process of choosing a resource record set based on the routing policy. This time, the unhealthy resource record set isn't considered. It responds to the query with the selected healthy resource record set. The following example shows a group of weighted resource record sets in which the third resource record set is unhealthy. Initially, Amazon Route 53 selects a resource record set based on the weights of all three resource record sets. If it happens to select the unhealthy resource record set the first time, Amazon API Version 2013-04-01 263 Amazon Route 53 Developer Guide How Health Checks Work in Complex Amazon Route 53 Configurations Route 53 selects another resource record set, but this time it omits the weight of the third resource record set from the calculation: • When Amazon Route 53 initially selects from among all three resource record sets, it responds to requests using the first resource record set about 20% of the time, 10/(10 + 20 + 20). • When Amazon Route 53 determines that the third resource record set is unhealthy, it responds to requests using the first resource record set about 33% of the time, 10/(10 + 20). If you omit a health check from one or more resource record sets in a group of resource record sets, Amazon Route 53 treats those resource record sets as healthy. Amazon Route 53 has no basis for determining the health of the corresponding resource and might choose a resource record set for which the resource is unhealthy. How Health Checks Work in Complex Amazon Route 53 Configurations Checking the health of resources in complex configurations works much the same way as in simple configurations. However, in complex configurations, you use a combination of alias resource record sets (including weighted alias, latency alias, and failover alias) and nonalias resource record sets to build a decision tree that gives you greater control over how Amazon Route 53 responds to requests. For more information, see How Health Checks Work in Simple Amazon Route 53 Configurations (p. 262). For example, you might use latency alias resource record sets to select a region close to a user and use weighted resource record sets for two or more resources within each region to protect against the failure of a single endpoint or an Availability Zone. The following diagram shows this configuration. API Version 2013-04-01 264 Amazon Route 53 Developer Guide How Health Checks Work in Complex Amazon Route 53 Configurations Here's how Amazon EC2 and Amazon Route 53 are configured: • You have Amazon EC2 instances in two regions, us-east-1 and ap-southeast-2. You want Amazon Route 53 to respond to queries by using the resource record sets in the region that provides the lowest latency for your customers, so you create a latency alias resource record set for each region. (You create the latency alias resource record sets after you create resource record sets for the individual Amazon EC2 instances.) • Within each region, you have two Amazon EC2 instances. You create a weighted resource record set for each instance. The name and the type are the same for both of the weighted resource record sets in each region. When you have multiple resources in a region, you can create weighted or failover resource record sets for your resources. You can also create even more complex configurations by creating weighted alias or failover alias resource record sets that, in turn, refer to multiple resources. • Each weighted resource record set has an associated health check. The IP address for each health check matches the IP address for the corresponding resource record set. This isn't required, but it's the most common configuration. • For both latency alias resource record sets, you set the value of Evaluate Target Health to Yes. You use the Evaluate Target Health setting for each latency alias resource record set to make Amazon Route 53 evaluate the health of the alias targets—the weighted resource record sets—and respond accordingly. API Version 2013-04-01 265 Amazon Route 53 Developer Guide How Health Checks Work in Complex Amazon Route 53 Configurations The preceding diagram illustrates the following sequence of events: 1. 2. 3. 4. 5. Amazon Route 53 receives a query for example.com. Based on the latency for the user making the request, Amazon Route 53 selects the latency alias resource record set for the us-east-1 region. Amazon Route 53 selects a weighted resource record set based on weight. Evaluate Target Health is Yes for the latency alias resource record set, so Amazon Route 53 checks the health of the selected weighted resource record set. The health check failed, so Amazon Route 53 chooses another weighted resource record set based on weight and checks its health. That resource record set also is unhealthy. Amazon Route 53 backs out of that branch of the tree, looks for the latency alias resource record set with the next-best latency, and chooses the resource record set for ap-southeast-2. Amazon Route 53 again selects a resource record set based on weight, and then checks the health of the selected resource record set. The health check passed, so Amazon Route 53 returns the applicable value in response to the query. Topics • What Happens When You Associate a Health Check with an Alias Resource Record Set? (p. 266) • What Happens When You Omit Health Checks? (p. 267) • What Happens When You Set Evaluate Target Health to No? (p. 268) What Happens When You Associate a Health Check with an Alias Resource Record Set? You can associate a health check with an alias resource record set instead of or in addition to setting the value of Evaluate Target Health to Yes. However, it's generally more useful if Amazon Route 53 responds API Version 2013-04-01 266 Amazon Route 53 Developer Guide How Health Checks Work in Complex Amazon Route 53 Configurations to queries based on the health of the underlying resources—the HTTP servers, database servers, and other resources that your alias resource record sets refer to. For example, suppose the following configuration: • You assign a health check to a latency alias resource record set for which the alias target is a group of weighted resource record sets. • You set the value of Evaluate Target Health to Yes for the latency alias resource record set. In this configuration, both of the following must be true before Amazon Route 53 will return the applicable value for a weighted resource record set: • The health check associated with the latency alias resource record set must pass. • At least one weighted resource record set must be considered healthy, either because it's associated with a health check that passes or because it's not associated with a health check. In the latter case, Amazon Route 53 always considers the weighted resource record set healthy. If the health check for the latency alias resource record set fails, Amazon Route 53 stops responding to queries using any of the weighted resource record sets in the alias target, even if they're all healthy. Amazon Route 53 doesn't know the status of the weighted resource record sets because it never looks past the failed health check on the alias resource record set. What Happens When You Omit Health Checks? In a complex configuration, it's important to associate health checks with all of the non-alias resource record sets. Let's return to the preceding example, but assume that a health check is missing on one of the weighted resource record sets in the us-east-1 region: API Version 2013-04-01 267 Amazon Route 53 Developer Guide How Health Checks Work in Complex Amazon Route 53 Configurations Here's what happens when you omit a health check on a non-alias resource record set in this configuration: 1. 2. 3. Amazon Route 53 receives a query for example.com. Based on the latency for the user making the request, Amazon Route 53 selects the latency alias resource record set for the us-east-1 region. Amazon Route 53 looks up the alias target for the latency alias resource record set, and checks the status of the corresponding health checks. The health check for one weighted resource record set failed, so that resource record set is omitted from consideration. The other weighted resource record set in the alias target for the us-east-1 region has no health check. The corresponding resource might or might not be healthy, but without a health check, Amazon Route 53 has no way to know. Amazon Route 53 assumes that the resource is healthy and returns the applicable value in response to the query. What Happens When You Set Evaluate Target Health to No? In general, you also want to set Evaluate Target Health to Yes for all of the alias resource record sets. In the following example, all of the weighted resource record sets have associated health checks, but Evaluate Target Health is set to No for the latency alias resource record set for the us-east-1 region: API Version 2013-04-01 268 Amazon Route 53 Developer Guide Task List for Configuring DNS Failover Here's what happens when you set Evaluate Target Health to No for an alias resource record set in this configuration: 1. 2. 3. Amazon Route 53 receives a query for example.com. Based on the latency for the user making the request, Amazon Route 53 selects the latency alias resource record set for the us-east-1 region. Amazon Route 53 determines what the alias target is for the latency alias resource record set, and checks the corresponding health checks. They're both failing. Because the value of Evaluate Target Health is No for the latency alias resource record set for the us-east-1 region, Amazon Route 53 must choose one resource record set in this branch instead of backing out of the branch and looking for a healthy resource record set in the ap-southeast-2 region. Task List for Configuring DNS Failover To use Amazon Route 53 to configure DNS failover, perform the following tasks: 1. Draw a complete diagram of your configuration, and indicate which type of resource record set you're creating (weighted alias, failover, weighted, and so on) for each node: • In a simple configuration, your diagram will include only weighted, latency, geolocation, or failover resource record sets; it won't include any alias resource record sets. • In a complex configuration, your diagram will include a combination of alias resource record sets (weighted alias, latency alias, geolocation alias, and/or failover alias) and non-alias resource record sets in a multi-level tree like the examples in the topic How Health Checks Work in Complex Amazon Route 53 Configurations (p. 264). API Version 2013-04-01 269 Amazon Route 53 Developer Guide Configuring Failover in a Private Hosted Zone 2. Create health checks for each Amazon EC2 server and each non-AWS resource, such as an email server running in your data center, that you want to include in your configuration. You'll associate these health checks with your non-alias resource record sets. For more information, see Creating, Updating, and Deleting Health Checks (p. 245). 3. Create all of the non-alias resource record sets in your diagram, and associate the health checks that you created in step 2 with the applicable resource record sets. You can associate health checks with resource record sets by using the Amazon Route 53 console or the Amazon Route 53 API. For more information, see the applicable documentation: • Using the Amazon Route 53 console: See Working with Resource Record Sets (p. 178). • Using the Amazon Route 53 API: See POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. Note To quickly and easily create resource record sets for complex routing configurations and associate the resource record sets with health checks, you can use the traffic flow visual editor and save the configuration as a traffic policy. You can then associate the traffic policy with one or more domain names (such as example.com) or subdomain names (such as www.example.com), in the same hosted zone or in multiple hosted zones. In addition, you can roll back the updates if the new configuration isn't performing as you expected it to. For more information, see Using Traffic Flow to Route DNS Traffic (p. 234). 4. 5. If you're configuring DNS failover in a simple configuration, with no alias resource record sets, skip the remaining tasks. Starting at the bottom of the tree diagram that you created in step 1, create the alias resource record sets (including weighted, latency, geolocation routing, and failover alias resource record sets) for which the alias target is one of the resource record sets that you created in step 3. If you want Amazon Route 53 to try another branch of the tree when all of the non-alias resource record sets are unhealthy in a branch of your tree, set the value of Evaluate Target Health to Yes for each of your alias resource record sets. If your tree diagram includes nodes for which you have not yet created alias resource record sets, create the remaining alias resource record sets, working from the bottom of the tree toward the top. Remember that you cannot create an alias resource record set if the alias target resource record set doesn't exist yet. Configuring Failover in a Private Hosted Zone If you're creating failover resource record sets in a private hosted zone, note the following: • Amazon Route 53 health checkers are outside the VPC. To check the health of an endpoint within a VPC by IP address, you must assign a public IP address to the instance in the VPC. • You can configure a health checker to check the health of an external resource that the instance relies on, such as a database server. • You can create a CloudWatch metric, associate an alarm with the metric, and then create a health check that is based on the state of the alarm. For example, you might create a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then create a health check that is based on the state of the alarm. For information about creating CloudWatch metrics and alarms by using the CloudWatch console, see the Amazon CloudWatch Developer Guide. For more information, see the following topics: API Version 2013-04-01 270 Amazon Route 53 Developer Guide Options for Configuring Amazon Route 53 Active-Active and Active-Passive Failover • Working with Private Hosted Zones (p. 171) • Creating and Updating Health Checks (p. 246) • Working with Resource Record Sets (p. 178) Options for Configuring Amazon Route 53 Active-Active and Active-Passive Failover You can configure Amazon Route 53 failover in a variety of ways by using different combinations of Amazon Route 53 resource record sets. The following sections give a brief overview of how you can configure simple active-active and active-passive failover.You can also create more complex configurations by combining types of resource record sets in a larger tree. For more information, see How Health Checks Work in Complex Amazon Route 53 Configurations (p. 264). Topics • Configuring Active-Active or Active-Passive Failover by Using Amazon Route 53 Weighted and Weighted Alias Resource Record Sets (p. 271) • Configuring Active-Active Failover by Using Amazon Route 53 Latency and Latency Alias Resource Record Sets (p. 272) • Configuring Active-Passive Failover by Using Amazon Route 53 Failover and Failover Alias Resource Record Sets (p. 273) Configuring Active-Active or Active-Passive Failover by Using Amazon Route 53 Weighted and Weighted Alias Resource Record Sets If you add health checks to all of the resource record sets in a group of weighted resource record sets, and you assign nonzero weights to all of the resource record sets, the Amazon Route 53 behavior results in an active-active failover configuration. Any resource can be returned at any time in response to a DNS query unless it's unhealthy. Here's how Amazon Route 53 chooses a healthy resource record set: 1. 2. 3. Amazon Route 53 selects a weighted resource record set based on the weights that you've assigned to the resource record sets that have the same name and type. Amazon Route 53 checks the current status of the health check that you associated with that resource record set. (Amazon Route 53 periodically checks the health of the endpoint that is specified in a health check; it doesn't perform the health check when the DNS query arrives.) If the health check endpoint is healthy, Amazon Route 53 responds to the query with the applicable value from the resource record set, such as an IP address. If the health check endpoint is not healthy, Amazon Route 53 selects another weighted resource record set and repeats the process until it finds a resource record set for which the health check endpoint is healthy. If you add health checks to all of the resource record sets in a group of weighted resource record sets, but you give nonzero weights to some resource record sets and zero weights to others, the Amazon Route 53 behavior results in an active-passive failover configuration. (If you want an active-passive failover configuration, we recommend that you use failover resource record sets. For more information, see Configuring Active-Passive Failover by Using Amazon Route 53 Failover and Failover Alias Resource Record Sets (p. 273).) Health checks in this configuration work the same as in the active-active configuration—when all resource record sets have nonzero weights—with the following exceptions: API Version 2013-04-01 271 Amazon Route 53 Developer Guide Options for Configuring Amazon Route 53 Active-Active and Active-Passive Failover • Amazon Route 53 initially considers only the nonzero weighted resource record sets, if any. • If all of the resource record sets that have a weight greater than 0 are unhealthy, then Amazon Route 53 considers the zero-weighted resource record sets. If a resource record set in a group of weighted resource record sets doesn't have an associated health check, Amazon Route 53 always considers it healthy and always includes it among possible responses to a query. If none of the resource record sets in the group of weighted resource record sets are healthy, Amazon Route 53 needs to return something in response to DNS queries, but it has no basis for choosing one resource record set over another. In this circumstance, Amazon Route 53 considers all of the resource record sets in the group to be healthy and selects one based on their assigned weights, omitting the resource record sets that have a weight of 0. You can also use weighted alias resource record sets to configure active-active or active-passive failover. Weighting works the same way as with weighted resource record sets, but the health of a weighted alias resource record set depends on the health of the alias target or targets. For example, suppose the alias target for a weighted alias resource record set is a group of weighted resource record sets that all have nonzero weights. As long as at least one of the weighted resource record sets is healthy, Amazon Route 53 considers the weighted alias resource record set to be healthy. If none of the weighted resource record sets is healthy, Amazon Route 53 considers the weighted alias resource record set to be unhealthy. Amazon Route 53 stops considering resource record sets in that branch of the tree until at least one weighted resource record set becomes healthy again. For more information about weighted resource record sets, see Weighted Routing (p. 179). Configuring Active-Active Failover by Using Amazon Route 53 Latency and Latency Alias Resource Record Sets If you add health checks to all of the resource record sets in a group of latency resource record sets, the Amazon Route 53 behavior results in an active-active failover configuration. Amazon Route 53 considers the health and the latency of the resource record sets when choosing the resource record set with which to respond to DNS queries: 1. 2. 3. Amazon Route 53 selects a latency resource record set based on the latency between your users and the Amazon EC2 regions in which you have resources. Amazon Route 53 checks the current status of the health check that you associated with that resource record set. (Amazon Route 53 periodically checks the health of the endpoint that is specified in a health check; it doesn't perform the health check when the DNS query arrives.) If the health check endpoint is healthy, Amazon Route 53 responds to the query with the applicable value from the resource record set, for example, an IP address. If the health check endpoint is not healthy, Amazon Route 53 selects the latency resource record set with the next-best latency and repeats the process until it finds a resource record set for which the health check endpoint is healthy. If a resource record set in a group of latency resource record sets doesn't have a health check, Amazon Route 53 always considers it healthy and always includes it among possible responses to a query. If none of the resource record sets in a latency resource record set are healthy, Amazon Route 53 needs to return something in response to DNS queries, but it has no basis for choosing one resource record set over another. In this circumstance, Amazon Route 53 considers all of these resource record sets healthy and selects a resource record set based on the latency between the user and each region. API Version 2013-04-01 272 Amazon Route 53 Developer Guide Options for Configuring Amazon Route 53 Active-Active and Active-Passive Failover You can also use latency alias resource record sets to configure active-active failover. Assuming that you set Evaluate Target Health to true for all of your latency alias resource record sets, the health of a latency alias resource record set depends on the health of the alias target or targets. For example, suppose the alias target for a latency alias resource record set is a group of weighted resource record sets that all have nonzero weights. As long as at least one of the weighted resource record sets is healthy, Amazon Route 53 considers the latency alias resource record set to be healthy. If none of the weighted resource record sets is healthy, Amazon Route 53 considers the latency alias resource record set to be unhealthy. Amazon Route 53 stops considering resource record sets for that region (in that branch of the tree) until at least one weighted resource record set becomes healthy again. For a more detailed explanation of this configuration, see How Health Checks Work in Complex Amazon Route 53 Configurations (p. 264). For more information about latency resource record sets, see Latency-Based Routing (p. 180). Configuring Active-Passive Failover by Using Amazon Route 53 Failover and Failover Alias Resource Record Sets You can create an active-passive failover configuration by using failover resource record sets. You create a primary and a secondary failover resource record set that have the same name and type, and you associate a health check with each. The primary and secondary failover resource record sets can refer to anything from an Amazon S3 bucket that is configured as a website to a complex tree of resource record sets. When all of the resources that are referenced by the primary failover resource record set are unhealthy, Amazon Route 53 automatically begins responding to queries by using the resources that are referenced by the secondary failover resource record set. For example, you might create a pair of failover resource record sets for example.com. After the configuration is complete, Amazon Route 53 responds to queries for example.com based on the health of the endpoints that you associated with the primary and secondary resource record sets. If you associate health checks with both the primary and secondary failover resource record sets, here's how Amazon Route 53 responds to requests: • If Amazon Route 53 considers the primary resource record set healthy (if the health check endpoint is healthy), Amazon Route 53 returns only the primary resource record set in response to a DNS query. • If Amazon Route 53 considers the primary resource record set unhealthy and the secondary resource record set healthy, Amazon Route 53 returns the secondary resource record set instead. • If Amazon Route 53 considers both the primary and secondary resource record sets unhealthy, Amazon Route 53 returns the primary resource record set. When you're configuring the secondary resource record set, adding a health check is optional. If you omit the health check for the secondary resource record set, and if the health check endpoint for the primary resource record set is unhealthy, Amazon Route 53 always responds to DNS queries by using the secondary resource record set. This is true even if the secondary is unhealthy. When there is no health check on the secondary resource record set, Amazon Route 53 doesn't know that the associated resource is unhealthy and always assumes that it's healthy. Use failover resource record sets when you have two resources and you want one of the resources to handle all requests whenever it's available. For example, you might have two HTTP servers running on Amazon EC2 servers in different regions, and you want Amazon Route 53 to respond to queries with the IP address of the HTTP server in the US West (Oregon) region whenever that server is available. You specify that server in the primary failover resource record set, and you specify the server in the US West (N. California) region in the secondary failover resource record set. Use failover alias resource record sets when you have two groups of resource record sets (for example, groups of weighted or latency resource record sets), and you want Amazon Route 53 to respond to queries using resources in the primary group as long as at least one of those resources is available. If health checks for all of the resources in the primary group are failing, Amazon Route 53 will begin to respond to queries using resources in the secondary group. API Version 2013-04-01 273 Amazon Route 53 Developer Guide How Amazon Route 53 Averts Failover Problems You can also combine a failover resource record set and a failover alias resource record set. Either resource record set, the primary or the secondary, can be the failover alias resource record set. For example, you might create a failover resource record set for a single HTTP server, and create a failover alias resource record set for an Amazon S3 bucket that is configured as a website; in this configuration, the Amazon S3 bucket might only display a message saying that your website is unavailable. You can create failover and failover alias resource record sets using the Amazon Route 53 console or the Amazon Route 53 API. For information about using the console, see Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184). For information about using the Amazon Route 53 API, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. How Amazon Route 53 Averts Failover Problems The failover algorithms implemented by Amazon Route 53 are designed not only to route traffic to endpoints that are healthy, but also to avoid making disaster scenarios worse due to misconfigured health checks and applications, endpoint overloads, and partition failures. How Amazon Route 53 Averts Cascading Failures As a first defense against cascading failures, each request routing algorithm (weighted, latency, geolocation routing, and failover) has a mode of last resort. In this special mode, when all resource record sets are considered unhealthy, the Amazon Route 53 algorithm reverts to considering all resource record sets healthy. For example, if all instances of an application, on several hosts, are rejecting health check requests, Amazon Route 53 DNS servers will choose an answer anyway and return it rather than returning no DNS answer or returning an NXDOMAIN (non-existent domain) response. An application can respond to users but still fail health checks, so this provides some protection against misconfiguration. Similarly, if an application is overloaded, and one out of three endpoints fails its health checks, so that it's excluded from Amazon Route 53 DNS responses, Amazon Route 53 distributes responses between the two remaining endpoints. If the remaining endpoints are unable to handle the additional load and they fail, Amazon Route 53 reverts to distributing requests to all three endpoints. How Amazon Route 53 Handles Internet Partitions Although uncommon, there are occasionally significant Internet partitions, meaning that large geographic regions can't communicate with one another over the Internet. During these partitions, Amazon Route 53 locations might reach different conclusions about the health status of an endpoint and might differ from the status reported to CloudWatch. Amazon Route 53 health checkers in each AWS region are constantly sending health check statuses to all Amazon Route 53 locations. During Internet partitions, each Amazon Route 53 location might have access only to a partial set of these statuses, usually from its closest regions. For example, during an Internet partition that affects connectivity to and from South America, the Amazon Route 53 DNS servers in the Amazon Route 53 South America (São Paulo) location might have good access to the health check endpoints in the South America (São Paulo) AWS region, but poor access to endpoints elsewhere. At the same time, Amazon Route 53 in US East (N.Virginia) might have poor access to health check endpoints in the South America (São Paulo) region, and conclude that the corresponding resource record sets are unhealthy. Partitions such as these can give rise to situations where Amazon Route 53 locations make different conclusions about the health status of endpoints, based on their local visibility of those endpoints. This is why each Amazon Route 53 location considers an endpoint healthy when only a portion of reachable health checkers consider it healthy. API Version 2013-04-01 274 Amazon Route 53 Developer Guide Naming and Tagging Health Checks Naming and Tagging Health Checks You can add tags to Amazon Route 53 health checks, which lets you give each health check a name that is more comprehensible than the health check ID. These are the same tags that AWS Billing and Cost Management provides for organizing your AWS bill to reflect your own cost structure. For more information about using tags for cost allocation, see Use Cost Allocation Tags for Custom Billing Reports in the AWS Billing and Cost Management User Guide. Each tag consists of a key (the name of the tag) and a value, both of which you define. When you add tags to a health check, we recommend that you add one tag for which the key is Name and the value is the name that you want to give to the health check. The value of the Name tag appears in the list of health checks in the Amazon Route 53 console, which lets you readily distinguish health checks from one another. You can view other tags in the console, but you need to select a health check to see tags other than the Name tag. For more information about tags, see the following topics: • To add, edit, or delete the Name tag when you add or edit health checks in the Amazon Route 53 console, see Creating, Updating, and Deleting Health Checks (p. 245). • To add, edit, or delete tags for health checks and hosted zones by using the Amazon Route 53 API, see POST ChangeTagsForResource in the Amazon Route 53 API Reference. • For an overview of tagging Amazon Route 53 resources, see Tagging Amazon Route 53 Resources (p. 302). Tag Restrictions The following basic restrictions apply to tags: • • • • Maximum number of tags per resource – 10 Maximum Key length – 128 Unicode characters Maximum Value length – 256 Unicode characters Valid values for Key and Value – uppercase and lowercase letters in the UTF-8 character set, numbers, space, and the following characters: _ . : / = + - and @ • Tag keys and values are case sensitive • Don't use the aws: prefix for either keys or values; it's reserved for AWS use Adding, Editing, and Deleting Tags for Health Checks The following procedures show you how to use tags for your health checks in the Amazon Route 53 console. To add tags to health checks 1. 2. 3. 4. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Health Checks. Select a health check, or select multiple health checks if you want to add the same tag to more than one health check. In the bottom pane, choose the Tags tab, and then choose Add/Edit Tags. API Version 2013-04-01 275 Amazon Route 53 Developer Guide Using API Versions Before 2012-12-12 5. 6. In the Add/Edit Tags dialog box, enter a name for the tag in the Key field, and enter a value in the Value field. Choose Apply changes. To edit tags for health checks 1. 2. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Health Checks. 3. Select a health check. If you select multiple health checks that share the same tag, you cannot edit the value for all the tags simultaneously. Note, however, that you can edit the value of a tag that appears in multiple health checks if you select health checks that have the tag and at least one than doesn't. 4. 5. 6. For example, suppose you select multiple health checks that have a Cost Center tag and one that doesn't. You choose the option to add a tag, and you specify Cost Center for the key and 777 for the value. For the selected health checks that already have a Cost Center tag, Amazon Route 53 changes the value to 777. For the one health check that doesn't have a Cost Center tag, Amazon Route 53 adds one and sets the value to 777. In the bottom pane, choose the Tags tab, and then choose Add/Edit Tags. In the Add/Edit Tags dialog box, edit the value. Choose Save. To delete tags for health checks 1. 4. 5. Sign in to the AWS Management Console and open the Amazon Route 53 console at https:// console.aws.amazon.com/route53/. In the navigation pane, choose Health Checks. Select a health check, or select multiple health checks if you want to delete the same tag from more than one health check. In the bottom pane, choose the Tags tab, and then choose Add/Edit Tags. In the Add/Edit Tags dialog box, choose the X next to the tag that you want to delete. 6. Choose Save. 2. 3. Using Health Checks with Amazon Route 53 API Versions Earlier than 2012-12-12 Health checks are supported starting with the 2012-12-12 version of the Amazon Route 53 API. If a hosted zone contains resource record sets for which health checks are configured, we recommend that you use only the 2012-12-12 API or later. Note the following restrictions on using health checks with earlier API versions. • The ChangeResourceRecordSets action cannot create or delete resource record sets that include the EvaluateTargetHealth, Failover, or HealthCheckId elements. • The ListResourceRecordSets action can list resource record sets that include these elements, but the elements are not included in the output. Instead, the Value element of the response contains a message that says the resource record set includes an unsupported attribute. API Version 2013-04-01 276 Amazon Route 53 Developer Guide Authentication Authentication and Access Control for Amazon Route 53 To perform any operation on Amazon Route 53 resources, such as registering a domain or updating a resource record set, AWS Identity and Access Management (IAM) requires you to authenticate that you're an approved AWS user. If you're using the Amazon Route 53 console, you authenticate your identity by providing your AWS user name and a password. If you're accessing Amazon Route 53 programmatically, your application authenticates your identity for you by using access keys or by signing requests. After you authenticate your identity, IAM controls your access to AWS by verifying that you have permissions to perform operations and to access resources. If you are an account administrator, you can use IAM to control the access of other users to the resources that are associated with your account. This chapter explains how to use IAM and Amazon Route 53 to help secure your resources. Topics • Authentication (p. 277) • Access Control (p. 278) Authentication You can access AWS as any of the following types of identities: • AWS account root user – When you sign up for AWS, you provide an email address and password that is associated with your AWS account. These are your root credentials and they provide complete access to all of your AWS resources. Important For security reasons, we recommend that you use the root credentials only to create an administrator user, which is an IAM user with full permissions to your AWS account. Then, you can use this administrator user to create other IAM users and roles with limited permissions. For more information, see IAM Best Practices and Creating an Admin User and Group in the IAM User Guide. • IAM user – An IAM user is simply an identity within your AWS account that has specific custom permissions (for example, permissions to create a hosted zone in Amazon Route 53). You can use an API Version 2013-04-01 277 Amazon Route 53 Developer Guide Access Control IAM user name and password to sign in to secure AWS webpages like the AWS Management Console, AWS Discussion Forums, or the AWS Support Center. In addition to a user name and password, you can also generate access keys for each user. You can use these keys when you access AWS services programmatically, either through one of the several SDKs or by using the AWS Command Line Interface (CLI). The SDK and CLI tools use the access keys to cryptographically sign your request. If you don’t use the AWS tools, you must sign the request yourself. Amazon Route 53 supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the AWS General Reference. • IAM role – An IAM role is another IAM identity you can create in your account that has specific permissions. It is similar to an IAM user, but it is not associated with a specific person. An IAM role enables you to obtain temporary access keys that can be used to access AWS services and resources. IAM roles with temporary credentials are useful in the following situations: • Federated user access – Instead of creating an IAM user, you can use preexisting user identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated Users and Roles in the IAM User Guide. • Cross-account access – You can use an IAM role in your account to grant another AWS account permissions to access your account’s resources. For an example, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles in the IAM User Guide. • AWS service access – You can use an IAM role in your account to grant an AWS service permissions to access your account’s resources. For example, you can create a role that allows Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data stored in the bucket into an Amazon Redshift cluster. For more information, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide. • Applications running on Amazon EC2 – Instead of storing access keys within the EC2 instance for use by applications running on the instance and making AWS API requests, you can use an IAM role to manage temporary credentials for these applications. To assign an AWS role to an EC2 instance and make it available to all of its applications, you can create an instance profile that is attached to the instance. An instance profile contains the role and enables programs running on the EC2 instance to get temporary credentials. For more information, see Using Roles for Applications on Amazon EC2 in the IAM User Guide. Access Control To create, update, delete, or list Amazon Route 53 resources, you need permissions to perform the operation, and you need permission to access the corresponding resources. In addition, to perform the operation programmatically, you need valid access keys. The following sections describe how to manage permissions for Amazon Route 53. We recommend that you read the overview first. API Version 2013-04-01 278 Amazon Route 53 Developer Guide Overview of Managing Access • Overview of Managing Access Permissions to Your Amazon Route 53 Resources (p. 279) • Using Identity-Based Policies (IAM Policies) for Amazon Route 53 (p. 283) • Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference (p. 288) Overview of Managing Access Permissions to Your Amazon Route 53 Resources Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. Note An account administrator (or administrator user) is a user that has administrator privileges. For more information about administrators, see IAM Best Practices in the IAM User Guide. When you grant permissions, you decide who gets the permissions, the resources they get permissions for, and the actions that they get permissions to perform. Topics • ARNs for Amazon Route 53 Resources (p. 279) • Understanding Resource Ownership (p. 280) • Managing Access to Resources (p. 280) • Specifying Policy Elements: Resources, Actions, Effects, and Principals (p. 282) • Specifying Conditions in a Policy (p. 282) ARNs for Amazon Route 53 Resources Amazon Route 53 supports a variety of resource types for DNS, health checking, and domain registration. Most of these resources have unique Amazon Resource Names (ARNs). In a policy, you use an ARN to identify the resource that the policy applies to. The following table shows the resource types and their ARN formats. Resource Type ARN Format Health Checks arn:aws:route53:::healthcheck/health check id Hosted Zones arn:aws:route53:::hostedzone/hosted zone id Geolocations (used when creating geolocation resource record sets) arn:aws:route53:::geolocation Traffic Policies arn:aws:route53:::trafficpolicy/traffic policy id Traffic Policy Instances arn:aws:route53:::trafficpolicyinstance/traffic policy instance id Reusable Delegation Sets arn:aws:route53:::delegationset/delegation set id Status of a Resource Record Set Change Batch (API only) arn:aws:route53:::change/change id API Version 2013-04-01 279 Amazon Route 53 Developer Guide Understanding Resource Ownership Note Not all Amazon Route 53 resources support permissions. You can't grant or deny access to the following resources: • Domains • Individual resource record sets • Tags for domains • Tags for health checks • Tags for hosted zones Amazon Route 53 provides API actions to work with each of these types of resources. For more information, see the Amazon Route 53 API Reference. For a list of actions and the ARN that you specify to grant or deny permission to use each action, see Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference (p. 288). Understanding Resource Ownership An AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the principal entity (that is, the root account, an IAM user, or an IAM role) that authenticates the resource creation request. The following examples illustrate how this works: • If you use the root account credentials of your AWS account to create a hosted zone, your AWS account is the owner of the resource. • If you create an IAM user in your AWS account and grant permissions to create a hosted zone to that user, the user can create a hosted zone. However, your AWS account, to which the user belongs, owns the hosted zone resource. • If you create an IAM role in your AWS account with permissions to create a hosted zone, anyone who can assume the role can create a hosted zone. Your AWS account, to which the role belongs, owns the hosted zone resource. Managing Access to Resources A permissions policy specifies who has access to what. This section explains the options for creating permissions policies for Amazon Route 53. For general information about IAM policy syntax and descriptions, see the AWS IAM Policy Reference in the IAM User Guide. Policies attached to an IAM identity are referred to as identity-based policies (IAM policies), and policies attached to a resource are referred to as resource-based policies. Amazon Route 53 supports only identity-based policies (IAM policies). Topics • Identity-Based Policies (IAM Policies) (p. 280) • Resource-Based Policies (p. 282) Identity-Based Policies (IAM Policies) You can attach policies to IAM identities. For example, you can do the following: • Attach a permissions policy to a user or a group in your account – An account administrator can use a permissions policy that is associated with a particular user to grant permissions for that user to create Amazon Route 53 resources. API Version 2013-04-01 280 Amazon Route 53 Developer Guide Managing Access to Resources • Attach a permissions policy to a role (grant cross-account permissions) – You can grant permission to perform Amazon Route 53 actions to a user that was created by another AWS account. To do so, you attach a permissions policy to an IAM role, and then you allow the user in the other account to assume the role. The following example explains how this works for two AWS accounts, account A and account B: 1. Account A administrator creates an IAM role and attaches to the role a permissions policy that grants permissions to create or access resources that are owned by account A. 2. Account A administrator attaches a trust policy to the role. The trust policy identifies account B as the principal that can assume the role. 3. Account B administrator can then delegate permissions to assume the role to users or groups in Account B. This allows users in account B to create or access resources in account A. For more information about how to delegate permissions to users in another AWS account, see Access Management in the IAM User Guide. The following example policy allows a user to perform the CreateHostedZone action to create a public hosted zone for any AWS account: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "route53:CreateHostedZone" ], "Resource":"arn:aws:route53:::hostedzone/*" } ] } If you want the policy to also apply to private hosted zones, you need to grant permissions to use the Amazon Route 53 AssociateVPCWithHostedZone action and two Amazon EC2 actions, DescribeVpcs and DescribeRegion, as shown in the following example: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "route53:CreateHostedZone", "route53:AssociateVPCWithHostedZone", ], "Resource":"arn:aws:route53:::hostedzone/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeRegion" ], "Resource":"*" }, API Version 2013-04-01 281 Amazon Route 53 Developer Guide Specifying Policy Elements: Resources, Actions, Effects, and Principals ] } For more information about attaching policies to identities for Amazon Route 53, see Using Identity-Based Policies (IAM Policies) for Amazon Route 53 (p. 283). For more information about users, groups, roles, and permissions, see Identities (Users, Groups, and Roles) in the IAM User Guide. Resource-Based Policies Other services, such as Amazon S3, also support attaching permissions policies to resources. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket. Amazon Route 53 doesn't support attaching policies to resources. Specifying Policy Elements: Resources, Actions, Effects, and Principals Amazon Route 53 includes API actions (see the Amazon Route 53 API Reference) that you can use on each Amazon Route 53 resource (see ARNs for Amazon Route 53 Resources (p. 279)). You can grant a user or a federated user permissions to perform any or all of these actions. Note that some API actions, such as registering a domain, require permissions to perform more than one action. The following are the basic policy elements: • Resource – You use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. For more information, see ARNs for Amazon Route 53 Resources (p. 279). • Action – You use action keywords to identify resource operations that you want to allow or deny. For example, depending on the specified Effect, the route53:CreateHostedZone permission allows or denies a user the ability to perform the Amazon Route 53 CreateHostedZone action. • Effect – You specify the effect, either allow or deny, when a user tries to perform the action on the specified resource. If you don't explicitly grant access to an action, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access. • Principal – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). Amazon Route 53 doesn't support resource-based policies. For more information about IAM policy syntax and descriptions, see the AWS IAM Policy Reference in the IAM User Guide. For a list showing all of the Amazon Route 53 API operations and the resources that they apply to, see Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference (p. 288). Specifying Conditions in a Policy When you grant permissions, you can use the IAM policy language to specify when a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see Condition in the IAM User Guide. To express conditions, you use predefined condition keys. There are no condition keys specific to Amazon Route 53. However, there are AWS-wide condition keys that you can use as needed. For a complete list of AWS-wide keys, see Available Keys for Conditions in the IAM User Guide. API Version 2013-04-01 282 Amazon Route 53 Developer Guide Using IAM Policies for Amazon Route 53 Using Identity-Based Policies (IAM Policies) for Amazon Route 53 This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform operations on Amazon Route 53 resources. Important We recommend that you first review the introductory topics that explain the basic concepts and options to manage access to your Amazon Route 53 resources. For more information, see Overview of Managing Access Permissions to Your Amazon Route 53 Resources (p. 279). Topics • Permissions Required to Use the Amazon Route 53 Console (p. 284) • AWS Managed (Predefined) Policies for Amazon Route 53 (p. 286) • Customer Managed Policy Examples (p. 286) The following example shows a permissions policy. The Sid, or statement ID, is optional: { "Version": "2012-10-17", "Statement": [ { "Sid" : "AllowPublicHostedZonePermissions", "Effect": "Allow", "Action": [ "route53:CreateHostedZone", "route53:UpdateHostedZoneComment", "route53:GetHostedZone", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:GetHostedZoneCount", "route53:DeleteHostedZone", "route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*" }, { "Sid": "AllowGeoResourceRecordSets", "Effect": "Allow", "Action": [ "route53:GetGeoLocation", "route53:ListGeoLocations" ], "Resource": "arn:aws:route53:::geolocation/*" }, { "Sid" : "AllowHealthCheckPermissions", "Effect": "Allow", "Action": [ "route53:CreateHealthCheck", "route53:UpdateHealthCheck", "route53:GetHealthCheck", API Version 2013-04-01 283 Amazon Route 53 Developer Guide Permissions Required to Use the Amazon Route 53 Console "route53:ListHealthChecks", "route53:DeleteHealthCheck", "route53:GetCheckerIpRanges", "route53:GetHealthCheckCount", "route53:GetHealthCheckStatus", "route53:GetHealthCheckLastFailureReason" ], "Resource": "arn:aws:route53:::healthcheck/*" } ] } The policy includes three statements: • The first statement grants permissions to all the actions required to create and manage public hosted zones and their resource record sets. The wildcard character (*) in the Amazon Resource Name (ARN) grants access to all the hosted zones that are owned by the current AWS account. • The second statement grants permissions to the actions that are required to create geolocation resource record sets. • The third statement grants permissions to all the actions that are required to create and manage health checks. For a list of actions and the ARN that you specify to grant or deny permission to use each action, see Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference (p. 288). Permissions Required to Use the Amazon Route 53 Console To grant full access to the Amazon Route 53 console, you grant the permissions in the following permissions policy: { "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "route53:*", "route53domains:*", "cloudfront:ListDistributions", "elasticloadbalancing:DescribeLoadBalancers", "elasticbeanstalk:DescribeEnvironments", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketWebsiteConfiguration", "ec2:DescribeVpcs", "ec2:DescribeRegions", "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:GetMetricStatistics" API Version 2013-04-01 284 Amazon Route 53 Developer Guide Permissions Required to Use the Amazon Route 53 Console ], "Resource":"*" } ] } Here's why the permissions are required: route53:* Lets you perform all Amazon Route 53 actions except the following: • Create and update alias resource record sets for which the value of Alias Target is a CloudFront distribution, an Elastic Load Balancing load balancer, an Elastic Beanstalk environment, or an Amazon S3 bucket. (With these permissions, you can create alias resource records sets for which the value of Alias Target is another resource record set in the same hosted zone.) • Work with private hosted zones. • Work with domains. • Create, delete, and view CloudWatch alarms. • Render CloudWatch metrics in the Amazon Route 53 console. route53domains:* Lets you work with domains. Important If you list route53 actions individually, you must include route53:CreateHostedZone to work with domains. When you register a domain, a hosted zone is created at the same time, so a policy that includes permissions to register domains also requires permission to create hosted zones. For domain registration, Amazon Route 53 doesn't support granting or denying permissions to individual resources. cloudfront:ListDistributions Lets you create and update alias resource record sets for which the value of Alias Target is a CloudFront distribution. These permissions aren't required if you aren't using the Amazon Route 53 console. Amazon Route 53 uses it only to get a list of distributions to display in the console. elasticloadbalancing:DescribeLoadBalancers Lets you create and update alias resource record sets for which the value of Alias Target is an ELB load balancer. These permissions aren't required if you aren't using the Amazon Route 53 console. Amazon Route 53 uses it only to get a list of load balancers to display in the console. elasticbeanstalk:DescribeEnvironments Lets you create and update alias resource record sets for which the value of Alias Target is an Elastic Beanstalk environment. These permissions aren't required if you aren't using the Amazon Route 53 console. Amazon Route 53 uses it only to get a list of environments to display in the console. s3:ListBucket, s3:GetBucketLocation, and s3:GetBucketWebsiteConfiguration Let you create and update alias resource record sets for which the value of Alias Target is an Amazon S3 bucket. (You can create an alias to an Amazon S3 bucket only if the bucket is configured as a website endpoint; s3:GetBucketWebsiteConfiguration gets the required configuration information.) These permissions aren't required if you aren't using the Amazon Route 53 console. Amazon Route 53 uses it only to get a list of buckets to display in the console. API Version 2013-04-01 285 Amazon Route 53 Developer Guide AWS Managed (Predefined) Policies for Amazon Route 53 ec2:DescribeVpcs and ec2:DescribeRegions Let you work with private hosted zones. sns:ListTopics, sns:ListSubscriptionsByTopic, sns:CreateTopic, cloudwatch:DescribeAlarms, cloudwatch:PutMetricAlarm, cloudwatch:DeleteAlarms Let you create, delete, and view CloudWatch alarms. cloudwatch:GetMetricStatistics Lets you create CloudWatch metric health checks. These permissions aren't required if you aren't using the Amazon Route 53 console. Amazon Route 53 uses it only to get statistics to display in the console. AWS Managed (Predefined) Policies for Amazon Route 53 AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS.These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide. For Amazon Route 53, IAM provides four managed policies: • AmazonRoute53FullAccess – Grants full access to Amazon Route 53 resources. • AmazonRoute53ReadOnlyAccess – Grants read-only access to Amazon Route 53 resources. • AmazonRoute53DomainsFullAccess – Grants full access to Amazon Route 53 domain registration resources. • AmazonRoute53DomainsReadOnlyAccess – Grants read-only access to Amazon Route 53 domain registration resources. Note You can review these permissions policies by signing in to the IAM console and searching for specific policies there. You can also create your own custom IAM policies to allow permissions for Amazon Route 53 API operations. You can attach these custom policies to the IAM users or groups that require those permissions. Customer Managed Policy Examples You can create your own custom IAM policies to allow permissions for Amazon Route 53 actions. You can attach these custom policies to the IAM users or groups that require the specified permissions. These policies work when you are using the Amazon Route 53 API, the AWS SDKs, or the AWS CLI. The following examples show permissions for several common use cases. For the policy that grants a user full access to Amazon Route 53, see Permissions Required to Use the Amazon Route 53 Console (p. 284). Examples • Example 1: Allow Read Access to All Hosted Zones (p. 286) • Example 2: Allow Creation and Deletion of Hosted Zones (p. 287) • Example 3: Allow Changes to Resource Record Sets in a Specified Hosted Zone (p. 287) • Example 4: Allow Full Access to All Domains (Public Hosted Zones Only) (p. 288) Example 1: Allow Read Access to All Hosted Zones The following permissions policy grants the user permissions to list all hosted zones and view all the resource record sets in a hosted zone. API Version 2013-04-01 286 Amazon Route 53 Developer Guide Customer Managed Policy Examples { "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "route53:GetHostedZone", "route53:ListResourceRecordSets" ], "Resource":"arn:aws:route53:::hostedzone/*" }, { "Effect":"Allow", "Action":["route53:ListHostedZones"], "Resource":"*" } ] } Example 2: Allow Creation and Deletion of Hosted Zones The following permissions policy allows users to create and delete hosted zones, and to track the progress of the change. { "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["route53:CreateHostedZone"], "Resource":"*" }, { "Effect":"Allow", "Action":["route53:DeleteHostedZone"], "Resource":"arn:aws:route53:::change/*" }, { "Effect":"Allow", "Action":["route53:GetChange"], "Resource":"arn:aws:route53:::change/*" } ] } The value of Resource is * for CreateHostedZone because a hosted zone doesn't have an ID until you create it. Example 3: Allow Changes to Resource Record Sets in a Specified Hosted Zone The following permissions policy allows users to add, change, and delete resource record sets in a specified hosted zone. It also allows users to request the status of changes: API Version 2013-04-01 287 Amazon Route 53 Developer Guide Amazon Route 53 API Permissions Reference { "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["route53:ChangeResourceRecordSets"], "Resource":"arn:aws:route53:::hostedzone/Z148QEXAMPLE8V" }, { "Effect":"Allow", "Action":["route53:GetChange"], "Resource":"arn:aws:route53:::change/*" } ] } Example 4: Allow Full Access to All Domains (Public Hosted Zones Only) The following permissions policy allows users to perform all actions on domain registrations, including permissions to register domains and create hosted zones. { "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "route53domains:*", "route53:CreateHostedZone" ], "Resource":"*" } ] } When you register a domain, a hosted zone is created at the same time, so a policy that includes permissions to register domains also requires permissions to create hosted zones. (For domain registration, Amazon Route 53 doesn't support granting permissions to individual resources.) For information about permissions that are required to work with private hosted zones, see Permissions Required to Use the Amazon Route 53 Console (p. 284). Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference When you are setting up Access Control (p. 278) and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following lists as a reference. The lists include each Amazon Route 53 API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field. API Version 2013-04-01 288 Amazon Route 53 Developer Guide Required Permissions for Actions on Public Hosted Zones You can use AWS-wide condition keys in your Amazon Route 53 policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide. Note To specify an action, use the applicable prefix (route53: or route53domains) followed by the API operation name (for example, route53:CreateHostedZone or route53domains:RegisterDomain). Topics • Required Permissions for Actions on Public Hosted Zones (p. 289) • Required Permissions for Actions on Private Hosted Zones (p. 290) • Required Permissions for Actions on Reusable Delegation Sets (p. 290) • Required Permissions for Actions on Resource Record Sets (p. 291) • Required Permissions for Actions on Traffic Policies (p. 291) • Required Permissions for Actions on Traffic Policy Instances (p. 292) • Required Permissions for Actions on Health Checks (p. 293) • Required Permissions for Actions on Domain Registrations (p. 293) • Required Permissions for Actions on Tags for Hosted Zones and Health Checks (p. 295) • Required Permissions for Actions on Tags for Domains (p. 295) Required Permissions for Actions on Public Hosted Zones CreateHostedZone Required Permissions (API Action): route53:CreateHostedZone Resources: arn:aws:route53:::hostedzone/* DeleteHostedZone Required Permissions (API Action): route53:DeleteHostedZone Resources: arn:aws:route53:::hostedzone/hosted zone ID GetHostedZone Required Permissions (API Action): route53:GetHostedZone Resources: arn:aws:route53:::hostedzone/hosted zone ID GetHostedZoneCount Required Permissions (API Action): route53:GetHostedZoneCount Resources: arn:aws:route53:::hostedzonecount ListHostedZones Required Permissions (API Action): route53:ListHostedZones Resources: arn:aws:route53:::hostedzone/* ListHostedZonesByName Required Permissions (API Action): route53:ListHostedZonesByName Resources: arn:aws:route53:::hostedzonesbyname UpdateHostedZoneComment Required Permissions (API Action): route53:UpdateHostedZoneComment Resources: arn:aws:route53:::hostedzone/hosted zone ID API Version 2013-04-01 289 Amazon Route 53 Developer Guide Required Permissions for Actions on Private Hosted Zones Required Permissions for Actions on Private Hosted Zones CreateHostedZone Required Permissions (API Action): route53:CreateHostedZone, ec2:DescribeVpcs, ec2:DescribeRegions Resources: arn:aws:route53:::hostedzone/*, arn:aws:ec2::optional account id:* DeleteHostedZone Required Permissions (API Action): route53:DeleteHostedZone Resources: arn:aws:route53:::hostedzone/hosted zone ID AssociateVPCWithHostedZone Required Permissions (API Action): route53:AssociateVPCWithHostedZone Resources: arn:aws:route53:::hostedzone/hosted zone ID/associatevpc DisassociateVPCFromHostedZone Required Permissions (API Action): route53:DisassociateVPCFromHostedZone Resources: arn:aws:route53:::hostedzone/hosted zone ID/disassociatevpc GetHostedZone Required Permissions (API Action): route53:GetHostedZone Resources: arn:aws:route53:::hostedzone/hosted zone ID GetHostedZoneCount Required Permissions (API Action): route53:GetHostedZoneCount Resources: arn:aws:route53:::hostedzonecount ListHostedZones Required Permissions (API Action): route53:ListHostedZones Resources: arn:aws:route53:::hostedzone/* ListHostedZonesByName Required Permissions (API Action): route53:ListHostedZonesByName Resources: arn:aws:route53:::hostedzonesbyname UpdateHostedZoneComment Required Permissions (API Action): route53:UpdateHostedZoneComment Resources: arn:aws:route53:::hostedzone/hosted zone ID Required Permissions for Actions on Reusable Delegation Sets CreateReusableDelegationSet Required Permissions (API Action): route53:CreateReusableDelegationSet Resources: arn:aws:route53:::delegationset/* DeleteReusableDelegationSet Required Permissions (API Action): route53:DeleteReusableDelegationSet Resources: arn:aws:route53:::delegationset/delegation set ID API Version 2013-04-01 290 Amazon Route 53 Developer Guide Required Permissions for Actions on Resource Record Sets GetReusableDelegationSet Required Permissions (API Action): route53:GetReusableDelegationSet Resources: arn:aws:route53:::delegationset/delegation set ID ListReusableDelegationSets Required Permissions (API Action): route53:ListReusableDelegationSets Resources: arn:aws:route53:::delegationset/* Required Permissions for Actions on Resource Record Sets ChangeResourceRecordSets Required Permissions (API Action): route53:ChangeResourceRecordSets Resources: arn:aws:route53:::hostedzone/hosted zone ID/rrset GetChange Required Permissions (API Action): route53:GetChange Resources: arn:aws:route53:::change/change ID GetGeoLocation Required Permissions (API Action): route53:GetGeoLocation Resources: arn:aws:route53:::geolocation/* ListGeoLocations Required Permissions (API Action): route53:ListGeoLocations Resources: arn:aws:route53:::geolocations/* ListResourceRecordSets Required Permissions (API Action): route53:ListResourceRecordSets Resources: arn:aws:route53:::hostedzone/hosted zone ID/rrset Required Permissions for Actions on Traffic Policies CreateTrafficPolicy Required Permissions (API Action): route53:CreateTrafficPolicy Resources: arn:aws:route53:::trafficpolicy/* CreateTrafficPolicyVersion Required Permissions (API Action): route53:CreateTrafficPolicyVersion Resources: arn:aws:route53:::trafficpolicy/traffic policy ID DeleteTrafficPolicy Required Permissions (API Action): route53:DeleteTrafficPolicy Resources: arn:aws:route53:::trafficpolicy/traffic policy ID/traffic policy version number GetTrafficPolicy Required Permissions (API Action): route53:GetTrafficPolicy API Version 2013-04-01 291 Amazon Route 53 Developer Guide Required Permissions for Actions on Traffic Policy Instances Resources: arn:aws:route53:::trafficpolicy/traffic policy ID/traffic policy version number ListTrafficPolicies Required Permissions (API Action): route53:ListTrafficPolicies Resources: arn:aws:route53:::trafficpolicies/* ListTrafficPolicyVersions Required Permissions (API Action): route53:ListTrafficPolicyVersions Resources: arn:aws:route53:::trafficpolicy/traffic policy ID UpdateTrafficPolicyComment Required Permissions (API Action): route53:UpdateTrafficPolicyComment Resources: arn:aws:route53:::trafficpolicy/* Required Permissions for Actions on Traffic Policy Instances CreateTrafficPolicyInstance Required Permissions (API Action): route53:CreateTrafficPolicyInstance Resources: arn:aws:route53:::trafficpolicyinstance/* DeleteTrafficPolicyInstance Required Permissions (API Action): route53:DeleteTrafficPolicyInstance Resources: arn:aws:route53:::trafficpolicyinstance/traffic policy instance ID GetTrafficPolicyInstance Required Permissions (API Action): route53:GetTrafficPolicyInstance Resources: arn:aws:route53:::trafficpolicyinstance/traffic policy instance ID GetTrafficPolicyInstanceCount Required Permissions (API Action): route53:GetTrafficPolicyInstanceCount Resources: arn:aws:route53:::trafficpolicyinstance/* ListTrafficPolicyInstances Required Permissions (API Action): route53:ListTrafficPolicyInstances Resources: arn:aws:route53:::trafficpolicyinstance/* ListTrafficPolicyInstancesByHostedZone Required Permissions (API Action): route53:ListTrafficPolicyInstancesByHostedZone Resources: arn:aws:route53:::trafficpolicyinstance/hosted zone ID ListTrafficPolicyInstancesByPolicy Required Permissions (API Action): route53:ListTrafficPolicyInstancesByPolicy Resources: arn:aws:route53:::trafficpolicyinstance/traffic policy ID UpdateTrafficPolicyInstance Required Permissions (API Action): route53:UpdateTrafficPolicyInstance Resources: arn:aws:route53:::trafficpolicyinstance/traffic policy instance ID API Version 2013-04-01 292 Amazon Route 53 Developer Guide Required Permissions for Actions on Health Checks Required Permissions for Actions on Health Checks CreateHealthCheck Required Permissions (API Action): route53:CreateHealthCheck Resources: arn:aws:route53:::healthcheck/* DeleteHealthCheck Required Permissions (API Action): route53:DeleteHealthCheck Resources: arn:aws:route53:::healthcheck/health check ID GetCheckerIpRanges Required Permissions (API Action): route53:GetCheckerIpRanges Resources: arn:aws:route53:::checkeripranges/* GetHealthCheck Required Permissions (API Action): route53:GetHealthCheck Resources: arn:aws:route53:::healthcheck/health check ID GetHealthCheckCount Required Permissions (API Action): route53:GetHealthCheckCount Resources: arn:aws:route53:::healthcheck/* GetHealthCheckLastFailureReason Required Permissions (API Action): route53:GetHealthCheckLastFailureReason Resources: arn:aws:route53:::healthcheck/health check ID GetHealthCheckStatus Required Permissions (API Action): route53:GetHealthCheckStatus Resources: arn:aws:route53:::healthcheck/health check ID ListHealthChecks Required Permissions (API Action): route53:ListHealthChecks Resources: arn:aws:route53:::healthcheck/* UpdateHealthCheck Required Permissions (API Action): route53:UpdateHealthCheck Resources: arn:aws:route53:::healthcheck/health check ID Required Permissions for Actions on Domain Registrations CheckDomainAvailability Required Permissions (API Action): route53domains:CheckDomainAvailability Resources: arn:aws:route53domains:::* DisableDomainAutoRenew Required Permissions (API Action): route53domains:DisableDomainAutoRenew Resources: arn:aws:route53domains:::* API Version 2013-04-01 293 Amazon Route 53 Developer Guide Required Permissions for Actions on Domain Registrations DisableDomainTransferLock Required Permissions (API Action): route53domains:DisableDomainTransferLock Resources: arn:aws:route53domains:::* EnableDomainAutoRenew Required Permissions (API Action): route53domains:EnableDomainAutoRenew Resources: arn:aws:route53domains:::* EnableDomainTransferLock Required Permissions (API Action): route53domains:EnableDomainTransferLock Resources: arn:aws:route53domains:::* GetContactReachabilityStatus Required Permissions (API Action): route53domains:GetContactReachabilityStatus Resources: arn:aws:route53domains:::* GetDomainDetail Required Permissions (API Action): route53domains:GetDomainDetail Resources: arn:aws:route53domains:::* GetOperationDetail Required Permissions (API Action): route53domains:GetOperationDetail Resources: arn:aws:route53domains:::* ListDomains Required Permissions (API Action): route53domains:ListDomains Resources: arn:aws:route53domains:::* ListOperations Required Permissions (API Action): route53domains:ListOperations Resources: arn:aws:route53domains:::* RegisterDomain Required Permissions (API Action): route53domains:RegisterDomain Resources: arn:aws:route53domains:::* ResendContactReachabilityEmail Required Permissions (API Action): route53domains:ResendContactReachabilityEmail Resources: arn:aws:route53domains:::* RetrieveDomainAuthCode Required Permissions (API Action): route53domains:RetrieveDomainAuthCode Resources: arn:aws:route53domains:::* TransferDomain Required Permissions (API Action): route53domains:TransferDomain Resources: arn:aws:route53domains:::* UpdateDomainContact Required Permissions (API Action): route53domains:UpdateDomainContact Resources: arn:aws:route53domains:::* UpdateDomainContactPrivacy Required Permissions (API Action): route53domains:UpdateDomainContactPrivacy Resources: arn:aws:route53domains:::* API Version 2013-04-01 294 Amazon Route 53 Developer Guide Required Permissions for Actions on Tags for Hosted Zones and Health Checks UpdateDomainNameservers Required Permissions (API Action): route53domains:UpdateDomainNameservers Resources: arn:aws:route53domains:::* ViewBilling Required Permissions (API Action): route53domains:ViewBilling Resources: arn:aws:route53domains:::* Required Permissions for Actions on Tags for Hosted Zones and Health Checks ChangeTagsForResource Required Permissions (API Action): route53:ChangeTagsForResource Resources: arn:aws:route53:::tags/[healthcheck | hostedzone]/[health check ID | hosted zone ID] ListTagsForResource Required Permissions (API Action): route53:ListTagsForResource Resources: arn:aws:route53:::tags/[healthcheck | hostedzone]/[health check ID | hosted zone ID] ListTagsForResources Required Permissions (API Action): route53:ListTagsForResources Resources: arn:aws:route53:::tags/[healthcheck | hostedzone]/* Required Permissions for Actions on Tags for Domains DeleteTagsForDomain Required Permissions (API Action): route53domains:DeleteTagsForDomain Resources: arn:aws:route53domains:::tags/* ListTagsForDomain Required Permissions (API Action): route53domains:ListTagsForDomain Resources: arn:aws:route53domains:::tags/* UpdateTagsForDomain Required Permissions (API Action): route53domains:UpdateTagsForDomain Resources: arn:aws:route53domains:::tags/* API Version 2013-04-01 295 Amazon Route 53 Developer Guide Configuring CloudTrail for Amazon Route 53 Using AWS CloudTrail to Capture Requests Sent to the Amazon Route 53 API Amazon Route 53 is integrated with CloudTrail, an AWS service that captures information about every request that is sent to the Amazon Route 53 API by your AWS account, including your IAM users. CloudTrail periodically saves log files of these requests to an Amazon S3 bucket that you specify. CloudTrail captures information about all requests, whether they were made using the Amazon Route 53 console, the Amazon Route 53 API, the AWS SDKs, the Amazon Route 53 CLI, or another service, such as AWS CloudFormation. You can use information in the CloudTrail log files to determine which requests were made to Amazon Route 53, the source IP address from which each request was made, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to configure and enable it, see the AWS CloudTrail User Guide. Topics • Configuring CloudTrail for Amazon Route 53 (p. 296) • Amazon Route 53 Information in CloudTrail Log Files (p. 297) • Understanding Amazon Route 53 Log File Entries (p. 297) Configuring CloudTrail for Amazon Route 53 When you configure CloudTrail to capture information about API requests made by AWS accounts, you start by choosing a region. For Amazon Route 53, you must choose US East (N. Virginia) as the region, or you won't get any log entries for Amazon Route 53 API requests. API Version 2013-04-01 296 Amazon Route 53 Developer Guide Amazon Route 53 Information in CloudTrail Log Files Amazon Route 53 Information in CloudTrail Log Files When you enable CloudTrail, CloudTrail captures every request made to every AWS service that CloudTrail supports. (For a list of supported services, see Supported Services in the AWS CloudTrail User Guide.) The log files aren't organized or sorted by service; each log file might contain records from more than one service. CloudTrail determines when to create a new log file. Every log file entry contains information about who made the request. The user identity information in the log file helps you determine whether the request was made by a user with root or IAM user credentials, by a user with temporary security credentials, or by another AWS service, such as AWS CloudFormation. For more information, see userIdentity Element in the AWS CloudTrail User Guide. You can store log files for as long as you want. You can also define Amazon S3 lifecycle rules to archive or delete log files automatically. By default, your log files are encrypted by using Amazon S3 server-side encryption (SSE). If you want to review log files as soon as CloudTrail delivers them to your Amazon S3 bucket, you can choose to have CloudTrail publish Amazon SNS notifications when new log files are delivered. For more information, see Configuring Amazon SNS Notifications in the AWS CloudTrail User Guide. You can also aggregate log files from multiple AWS regions and multiple AWS accounts into a single Amazon S3 bucket. For more information, see Aggregating CloudTrail Log Files to a Single Amazon S3 Bucket in the AWS CloudTrail User Guide. Understanding Amazon Route 53 Log File Entries Each JSON-formatted CloudTrail log file can contain one or more log entries. A log entry represents a single request from any source and includes information about the requested action, including any parameters, the date and time of the action, and so on. The log entries are not guaranteed to be in any particular order; they are not an ordered stack trace of API calls. Important Don't use CloudTrail log entries to reconstruct a hosted zone or to revert a hosted zone to a prior state. Although extremely rare, it is possible that an Amazon Route 53 API request is not successfully recorded in the CloudTrail log. If you try to reproduce a hosted zone and a log entry is missing, the resource record set that you don't create or update could adversely affect the availability of your domain. The eventName element identifies the action that occurred. CloudTrail supports all Amazon Route 53 API actions. The following example shows a CloudTrail log entry that demonstrates four actions: • Listing the hosted zones that are associated with an AWS account • Creating a health check • Creating two resource record sets • Deleting a hosted zone { "Records": [ API Version 2013-04-01 297 Amazon Route 53 Developer Guide Understanding Amazon Route 53 Log File Entries { "apiVersion": "2013-04-01", "awsRegion": "us-east-1", "eventID": "1cdbea14-e162-43bb-8853-f9f86d4739ca", "eventName": "ListHostedZones", "eventSource": "route53.amazonaws.com", "eventTime": "2015-01-16T00:41:48Z", "eventType": "AwsApiCall", "eventVersion": "1.02", "recipientAccountId": "444455556666", "requestID": "741e0df7-9d18-11e4-b752-f9c6311f3510", "requestParameters": null, "responseElements": null, "sourceIPAddress": "192.0.2.92", "userAgent": "Apache-HttpClient/4.3 (java 1.5)", "userIdentity": { "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "accountId": "111122223333", "arn": "arn:aws:iam::111122223333:user/smithj", "principalId": "A1B2C3D4E5F6G7EXAMPLE", "type": "IAMUser", "userName": "smithj" } }, { "apiVersion": "2013-04-01", "awsRegion": "us-east-1", "eventID": "45ec906a-1325-4f61-b133-3ef1012b0cbc", "eventName": "CreateHealthCheck", "eventSource": "route53.amazonaws.com", "eventTime": "2015-01-16T00:41:57Z", "eventType": "AwsApiCall", "eventVersion": "1.02", "recipientAccountId": "444455556666", "requestID": "79915168-9d18-11e4-b752-f9c6311f3510", "requestParameters": { "callerReference": "2014-05-06 64832", "healthCheckConfig": { "iPAddress": "192.0.2.249", "port": 80, "type": "TCP" } }, "responseElements": { "healthCheck": { "callerReference": "2014-05-06 64847", "healthCheckConfig": { "failureThreshold": 3, "iPAddress": "192.0.2.249", "port": 80, "requestInterval": 30, "type": "TCP" }, "healthCheckVersion": 1, "id": "b3c9cbc6-cd18-43bc-93f8-9e557example" }, "location": "https://route53.amazonaws.com/2013-0401/healthcheck/b3c9cbc6-cd18-43bc-93f8-9e557example" API Version 2013-04-01 298 Amazon Route 53 Developer Guide Understanding Amazon Route 53 Log File Entries }, "sourceIPAddress": "192.0.2.92", "userAgent": "Apache-HttpClient/4.3 (java 1.5)", "userIdentity": { "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "accountId": "111122223333", "arn": "arn:aws:iam::111122223333:user/smithj", "principalId": "A1B2C3D4E5F6G7EXAMPLE", "type": "IAMUser", "userName": "smithj" } }, { "additionalEventData": { "Note": "Do not use to reconstruct hosted zone" }, "apiVersion": "2013-04-01", "awsRegion": "us-east-1", "eventID": "883b14d9-2f84-4005-8bc5-c7bf0cebc116", "eventName": "ChangeResourceRecordSets", "eventSource": "route53.amazonaws.com", "eventTime": "2015-01-16T00:41:43Z", "eventType": "AwsApiCall", "eventVersion": "1.02", "recipientAccountId": "444455556666", "requestID": "7081d4c6-9d18-11e4-b752-f9c6311f3510", "requestParameters": { "changeBatch": { "changes": [ { "action": "CREATE", "resourceRecordSet": { "name": "prod.example.com.", "resourceRecords": [ { "value": "192.0.1.1" }, { "value": "192.0.1.2" }, { "value": "192.0.1.3" }, { "value": "192.0.1.4" } ], "tTL": 300, "type": "A" } }, { "action": "CREATE", "resourceRecordSet": { "name": "test.example.com.", "resourceRecords": [ { "value": "192.0.1.1" API Version 2013-04-01 299 Amazon Route 53 Developer Guide Understanding Amazon Route 53 Log File Entries }, { "value": "192.0.1.2" }, { "value": "192.0.1.3" }, { "value": "192.0.1.4" } ], "tTL": 300, "type": "A" } } ], "comment": "Adding subdomains" }, "hostedZoneId": "Z1PA6795UKMFR9" }, "responseElements": { "changeInfo": { "comment": "Adding subdomains", "id": "/change/C156SRE0X2ZB10", "status": "PENDING", "submittedAt": "Jan 16, 2015 12:41:43 AM" } }, "sourceIPAddress": "192.0.2.92", "userAgent": "Apache-HttpClient/4.3 (java 1.5)", "userIdentity": { "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "accountId": "111122223333", "arn": "arn:aws:iam::111122223333:user/smithj", "principalId": "A1B2C3D4E5F6G7EXAMPLE", "type": "IAMUser", "userName": "smithj" } }, { "apiVersion": "2013-04-01", "awsRegion": "us-east-1", "eventID": "0cb87544-ebee-40a9-9812-e9dda1962cb2", "eventName": "DeleteHostedZone", "eventSource": "route53.amazonaws.com", "eventTime": "2015-01-16T00:41:37Z", "eventType": "AwsApiCall", "eventVersion": "1.02", "recipientAccountId": "444455556666", "requestID": "6d5d149f-9d18-11e4-b752-f9c6311f3510", "requestParameters": { "id": "Z1PA6795UKMFR9" }, "responseElements": { "changeInfo": { "id": "/change/C1SIJYUYIKVJWP", "status": "PENDING", "submittedAt": "Jan 16, 2015 12:41:36 AM" API Version 2013-04-01 300 Amazon Route 53 Developer Guide Understanding Amazon Route 53 Log File Entries } }, "sourceIPAddress": "192.0.2.92", "userAgent": "Apache-HttpClient/4.3 (java 1.5)", "userIdentity": { "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "accountId": "111122223333", "arn": "arn:aws:iam::111122223333:user/smithj", "principalId": "A1B2C3D4E5F6G7EXAMPLE", "type": "IAMUser", "userName": "smithj" } } ] } API Version 2013-04-01 301 Amazon Route 53 Developer Guide Tagging Amazon Route 53 Resources A tag is a label that you assign to an AWS resource. Each tag consists of a key and a value, both of which you define. For example, the key might be "domain" and the value might be "example.com". You can use tags for a variety of purposes; one common use is to categorize and track your Amazon Route 53 costs. When you apply tags to Amazon Route 53 hosted zones, domains, and health checks, AWS generates a cost allocation report as a comma-separated value (CSV) file with your usage and costs aggregated by your tags. You can apply tags that represent business categories (such as cost centers, application names, or owners) to organize your costs across multiple services. For more information about using tags for cost allocation, see Use Cost Allocation Tags in the AWS Billing and Cost Management User Guide. For ease of use and best results, use Tag Editor in the AWS Management Console, which provides a central, unified way to create and manage your tags. For more information, see Working with Tag Editor in Getting Started with the AWS Management Console. For health checks, you can also apply tags in the Amazon Route 53 console. For more information, see Naming and Tagging Health Checks (p. 275). You can also apply tags to resources by using the Amazon Route 53 API. For more information, see Tagging Hosted Zones and Health Checks and Tagging Domains in the Amazon Route 53 API Reference. API Version 2013-04-01 302 Amazon Route 53 Developer Guide Transitioning to Latency-Based Routing in Amazon Route 53 Tutorials Topics • Transitioning to Latency-Based Routing in Amazon Route 53 (p. 303) • Adding Another Region to Your Latency-Based Routing in Amazon Route 53 (p. 305) • Using Latency and Weighted Resource Record Sets in Amazon Route 53 to Route Traffic to Multiple Amazon EC2 Instances in a Region (p. 306) • Managing Over 100 Weighted Resource Record Sets in Amazon Route 53 (p. 307) • Weighting Fault-Tolerant Multi-Record Answers in Amazon Route 53 (p. 307) Transitioning to Latency-Based Routing in Amazon Route 53 With latency-based routing, Amazon Route 53 can direct your users to the lowest-latency AWS endpoint available. For example, you may associate a DNS name like www.example.com with ELB load balancers or with Amazon EC2 instances or Elastic IP addresses that are hosted in the US East (N. Virginia) and EU (Ireland) regions. The Amazon Route 53 DNS servers decide, based on network conditions of the past couple of weeks, which instances in which regions should serve particular users. A user in London will likely be directed to the EU (Ireland) instance, a user in Chicago will likely be directed to the US East (N. Virginia) instance, and so on. Amazon Route 53 supports latency-based routing for A, AAAA, TXT, and CNAME resource record sets, as well as aliases to A and AAAA resource record sets. For a smooth, low-risk transition, you can combine weighted and latency resource record sets to gradually migrate from standard routing to latency-based routing with full control and rollback capability at each stage. Let's consider an example in which www.example.com is currently hosted on an Amazon EC2 instance in the US East (N. Virginia) region. The instance has the Elastic IP address W.W.W.W. Suppose you want to continue routing traffic to the US East (N. Virginia) region when applicable while also beginning to direct users to additional Amazon EC2 instances in the US West (N. California) region (Elastic IP X.X.X.X) and in the EU (Ireland) region (Elastic IP Y.Y.Y.Y). The Amazon Route 53 hosted zone for example.com already has a resource record set for www.example.com that has a Type of A and a Value (an IP address) of W.W.W.W. When you're finished with the following example, you'll have two weighted alias resource record sets: • You'll convert your existing resource record set for www.example.com into a weighted alias resource record set that continues to direct the majority of your traffic to your existing Amazon EC2 instance in the US East (N. Virginia) region. API Version 2013-04-01 303 Amazon Route 53 Developer Guide Transitioning to Latency-Based Routing in Amazon Route 53 • You'll create another weighted alias resource record set that initially directs only a small portion of your traffic to your latency resource record sets, which route traffic to all three regions. By updating the weights in these weighted alias resource record sets, you can gradually shift from routing traffic only to the US East (N. Virginia) region to routing traffic to all three regions in which you have Amazon EC2 instances. To Transition to Latency-Based Routing 1. Make a copy of the resource record set for www.example.com, but use a new domain name, for example, copy-www.example.com. Give the new resource record set the same Type (A) and Value (W.W.W.W) as the resource record set for www.example.com. 2. Update the existing A record for www.example.com to make it a weighted alias resource record set: • For the value of Alias Target, specify copy-www.example.com. • For the value of Weight, specify 100. When you're finished with the update, Amazon Route 53 will continue to use this resource record set to route all traffic to the resource that has an IP address of W.W.W.W. 3. Create a latency resource record set for each of your Amazon EC2 instances, for example: • US East (N. Virginia), Elastic IP address W.W.W.W • US West (N. California), Elastic IP address X.X.X.X • EU (Ireland), Elastic IP address Y.Y.Y.Y Give all of the latency resource record sets the same domain name, for example, www-lbr.example.com and the same type, A. When you're finished creating the latency resource record sets, Amazon Route 53 will continue to route traffic using the resource record set that you updated in Step 2. 4. You can use www-lbr.example.com for validation testing, for example, to ensure that each endpoint can accept requests. Let's now add the www-lbr.example.com latency resource record set into the www.example.com weighted resource record set and begin routing limited traffic to the corresponding Amazon EC2 instances. This means that the Amazon EC2 instance in the US East (N. Virginia) region will be getting traffic from both weighted resource record sets. Create another weighted alias resource record set for www.example.com: • For the value of Alias Target, specify www-lbr.example.com. • For the value of Weight, specify 1. When you finish and your changes are synchronized to Amazon Route 53 servers, Amazon Route 53 will begin to route a tiny fraction of your traffic (1/101) to the Amazon EC2 instances for which you created latency resource record sets in Step 3. 5. As you develop confidence that your endpoints are adequately scaled for the incoming traffic, adjust the weights accordingly. For example, if you want 10% of your requests to be based on latency-based routing, change the weights to 90 and 10, respectively. For more information about creating latency resource record sets, see Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184). API Version 2013-04-01 304 Amazon Route 53 Developer Guide Adding Another Region to Your Latency-Based Routing in Amazon Route 53 Adding Another Region to Your Latency-Based Routing in Amazon Route 53 If you're using latency based routing and you want to add an instance in a new region, you can gradually shift traffic to the new region in the same way that you gradually shifted traffic to latency-based routing in Transitioning to Latency-Based Routing in Amazon Route 53 (p. 303). For example, suppose you're using latency-based routing to route traffic for www.example.com, and you want to add an Amazon EC2 instance in Asia Pacific (Tokyo) to your instances in US East (N. Virginia), US West (N. California), and EU (Ireland). The following example procedure explains one way that you could add an instance in another region. For this example, the Amazon Route 53 hosted zone for example.com already has a weighted alias resource record set for www.example.com that is routing traffic to the latency-based resource record sets for www-lbr.example.com: • US East (N. Virginia), Elastic IP address W.W.W.W • US West (N. California), Elastic IP address X.X.X.X • EU (Ireland), Elastic IP address Y.Y.Y.Y The weighted alias resource record set has a weight of 100. After you transitioned to latency-based routing, assume that you deleted the other weighted resource record set that you used for the transition. To Add Another Region to Your Latency-Based Routing in Amazon Route 53 1. Create four new latency-based resource record sets that include the three original regions as well as the new region to which you want to start routing traffic. • US East (N. Virginia), Elastic IP address W.W.W.W • US West (N. California), Elastic IP address X.X.X.X • EU (Ireland), Elastic IP address Y.Y.Y.Y • Asia Pacific (Tokyo), Elastic IP address Z.Z.Z.Z Give all of the latency resource record sets the same new domain name, for example, www-lbr-2012-04-30.example.com, and the same type, A. When you're finished creating the latency resource record sets, Amazon Route 53 will continue to route traffic using the original weighted alias resource record set (www.example.com) and latency resource record sets (www-lbr.example.com). 2. You can use the www-lbr-2012-04-30.example.com resource record sets for validation testing, for example, to ensure that each endpoint can accept requests. Create a weighted alias resource record set for the new latency resource record sets: • For the domain name, specify the name for the existing weighted alias resource record set, www.example.com. • For the value of Alias Target, specify www-lbr-2012-04-30.example.com. • For the value of Weight, specify 1. When you finish, Amazon Route 53 will begin to route a tiny fraction of your traffic (1/101) to the Amazon EC2 instances for which you created the www-lbr-2012-04-30.example.com latency resource record sets in Step 1. The remainder of the traffic will continue to be routed to the API Version 2013-04-01 305 Amazon Route 53 Developer Guide Using Latency and Weighted Resource Record Sets in Amazon Route 53 to Route Traffic to Multiple Amazon EC2 Instances in a Region www-lbr.example.com latency resource record sets, which do not include the Amazon EC2 instance in the Asia Pacific (Tokyo) region. 3. As you develop confidence that your endpoints are adequately scaled for the incoming traffic, adjust the weights accordingly. For example, if you want 10% of your requests to be routed to the latency resource record sets that include the Tokyo region, change the weight for www-lbr.example.com from 100 to 90 and the weight for www-lbr-2012-04-30.example.com from 1 to 10. For more information about creating resource record sets, see Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184). Using Latency and Weighted Resource Record Sets in Amazon Route 53 to Route Traffic to Multiple Amazon EC2 Instances in a Region If your application is running on Amazon EC2 instances in two or more Amazon EC2 regions, and if you have more than one Amazon EC2 instance in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to instances within the region based on weights that you specify. For example, suppose you have three Amazon EC2 instances with Elastic IP addresses in the US East (N. Virginia) region and you want to distribute requests across all three IPs evenly for users for whom US East (N. Virginia) is the appropriate region. Just one Amazon EC2 instance is sufficient in the other regions, although you can apply the same technique to many regions at once. To use latency and weighted resource record sets in Amazon Route 53 to route traffic to multiple Amazon EC2 instances in a region 1. Create a group of weighted resource record sets for the Amazon EC2 instances in the region. Note the following: • Give each weighted resource record set the same value for Name (for example, us-east.example.com) and Type. • For Value, specify the value of one of the Elastic IP addresses. • If you want to weight the Amazon EC2 instances equally, specify the same value for Weight. • Specify a unique value for Set ID for each resource record set. 2. If you have multiple Amazon EC2 instances in other regions, repeat Step 1 for the other regions. Specify a different value for Name in each region. 3. For each region in which you have multiple Amazon EC2 instances (for example, US East (N. Virginia)), create a latency alias resource record set. For the value of Alias Target, specify the value of the Name field (for example, us-east.example.com) that you assigned to the weighted resource record sets in that region. 4. For each region in which you have one Amazon EC2 instance, create a latency resource record set. For the value of Name, specify the same value that you specified for the latency alias resource record sets that you created in Step 3. For Value, specify the Elastic IP address of the Amazon EC2 instance in that region. For more information about creating resource record sets, see Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184). API Version 2013-04-01 306 Amazon Route 53 Developer Guide Managing Over 100 Weighted Resource Record Sets in Amazon Route 53 Managing Over 100 Weighted Resource Record Sets in Amazon Route 53 Amazon Route 53 lets you configure weighted resource record sets. For a given name and type (for example, www.example.com, type A), you can configure up to 100 alternative responses, each with its own weight. When responding to queries for www.example.com, Amazon Route 53 DNS servers select a weighted random response to return to DNS resolvers. The value of a weighted resource record set that has a weight of 2 is returned, on average, twice as often as the value of a weighted resource record set that has a weight of 1. If you need to direct traffic to more than 100 endpoints, one way to achieve this is to use a tree of weighted alias resource record sets and weighted resource record sets. For example, the first "level" of the tree may be up to 100 weighted alias resource record sets, each of which can, in turn, point to up to 100 weighted resource record sets. Amazon Route 53 permits up to three levels of recursion, allowing you to manage up to 1,000,000 unique weighted endpoints. A simple two-level tree might look like this: Weighted alias resource record sets • www.example.com aliases to www-a.example.com with a weight of 1 • www.example.com aliases to www-b.example.com with a weight of 1 Weighted resource record sets • www-a.example.com, type A, value 192.0.2.1, weight 1 • www-a.example.com, type A, value 192.0.2.2, weight 1 • www-b.example.com, type A, value 192.0.2.3, weight 1 • www-b.example.com, type A, value 192.0.2.4, weight 1 For more information about creating resource record sets, see Working with Resource Record Sets (p. 178). Weighting Fault-Tolerant Multi-Record Answers in Amazon Route 53 An Amazon Route 53 weighted resource record set can only be associated with one record, meaning a combination of one name (for example, example.com) and one record type (for example, A). But it is often desirable to weight DNS responses that contain multiple records. For example, you might have eight Amazon EC2 instances or Elastic IP endpoints for a service. If the clients of that service support connection retries (as all common browsers do), then providing multiple IP addresses in DNS responses provides those clients with alternative endpoints in the event of the failure of any particular endpoint. You can even protect against the failure of an availability zone if you configure responses to contain a mix of IPs hosted in two or more availability zones. Multi-record answers are also useful when a large number of clients (for example, mobile web applications) share a small set of DNS caches. In this case, multi-record answers allow clients to direct requests to several endpoints even if they receive a common DNS response from the shared cache. API Version 2013-04-01 307 Amazon Route 53 Developer Guide Weighting Fault-Tolerant Multi-Record Answers in Amazon Route 53 These types of weighted multi-record answers can be achieved by using a combination of resource record sets and weighted alias resource record sets. You can group eight endpoints into two distinct record sets containing four IP addresses each: endpoint-a.example.com, type A, with the following values: • 192.0.2.1 • 192.0.2.2 • 192.0.2.128 • 192.0.2.129 endpoint-b.example.com, type A, with the following values: • 192.0.2.3 • 192.0.2.4 • 192.0.2.130 • 192.0.2.131 You can then create a weighted alias resource record set that points to each group: • www.example.com aliases to endpoint-a.example.com, type A, weight 1 • www.example.com aliases to endpoint-b.example.com, type A, weight 1 For more information about creating resource record sets, see Working with Resource Record Sets (p. 178). API Version 2013-04-01 308 Amazon Route 53 Developer Guide Limits on API Requests Limits Amazon Route 53 API requests and entities are subject to the following limits. Topics • Limits on API Requests (p. 309) • Limits on Entities (p. 310) Limits on API Requests Amazon Route 53 API requests are subject to the following limits. ChangeResourceRecordSets requests • A request cannot contain more than 100 Change elements. • A request cannot contain more than 1000 ResourceRecord elements. • The sum of the number of characters (including spaces) in all Value elements in a request cannot exceed 32,000 characters. Note If the value of the Action element in a ChangeResourceRecordSets request is UPSERT and the resource record set already exists, Amazon Route 53 automatically performs a DELETE request and a CREATE request. When Amazon Route 53 calculates the number of characters in the Value elements of a change batch request, it adds the number of characters in the Value element of the resource record set being deleted and the number of characters in the Value element of the resource record set being created. Amazon Route 53 API requests • All requests – Five requests per second per AWS account. If you submit more than five requests per second, Amazon Route 53 returns an HTTP 400 error (Bad request). The response header also includes a Code element with a value of Throttling and a Message element with a value of Rate exceeded. • ChangeResourceRecordSets requests – If Amazon Route 53 can't process a request before the next request arrives, it will reject subsequent requests for the same hosted zone and return an HTTP 400 error (Bad request). The response header also includes a Code element with a value of PriorRequestNotComplete and a Message element with a value of The request was rejected because Route 53 was still processing a prior request. • CreateHealthCheck requests – You can submit a maximum of 1000 CreateHealthCheck requests in a 24-hour period. API Version 2013-04-01 309 Amazon Route 53 Developer Guide Limits on Entities Limits on Entities Amazon Route 53 entities are subject to the following limits. Entity Limit Hosted zones 500 per AWS account Request a higher limit. Domains 50 per AWS account Request a higher limit. Reusable delegation sets 100 per AWS account Request a higher limit. Hosted zones that can use the same reusable delegation set 100 Request a higher limit. Amazon VPCs that you can associate with a private hosted zone 100 Request a higher limit. Resource record sets 10,000 per hosted zone Request a higher limit. Weighted and geolocation resource record sets 100 resource record sets that have the same name and type Resource records 100 per resource record set Health checks 50 active health checks per AWS account Request a higher limit. Traffic policies 50 per AWS account Request a higher limit. Policy records 5 per AWS account Request a higher limit. API Version 2013-04-01 310 Amazon Route 53 Developer Guide AWS Resources Resources for Amazon Route 53 The following related resources can help you as you work with this service. Topics • AWS Resources (p. 311) • Third-Party Tools and Libraries (p. 312) • Graphical User Interfaces (p. 313) AWS Resources Several helpful guides, forums, and other resources are available from Amazon Web Services. • Amazon Route 53 API Reference – A reference guide that includes the schema location; complete descriptions of the API actions, parameters, and data types; and a list of errors that the service returns. • Amazon Route 53 Release Notes – A high-level overview of the current release noting any new features, corrections, and known issues. • AWS::Route53::RecordSet Type in the AWS CloudFormation User Guide – A property for using Amazon Route 53 with CloudFormation to create customized DNS names for your AWS CloudFormation stacks. • Discussion Forums – A community-based forum for developers to discuss technical questions related to Amazon Route 53. • AWS Support Center – This site brings together information about your recent support cases and results from AWS Trusted Advisor and health checks, as well as providing links to discussion forums, technical FAQs, the service health dashboard, and information about AWS support plans. • AWS Premium Support Information – The primary web page for information about AWS Premium Support, a one-on-one, fast-response support channel to help you build and run applications on AWS Infrastructure Services. • Contact Us – Links for inquiring about your billing or account. For technical questions, use the discussion forums or support links above. • Amazon Route 53 product information – The primary web page for information about Amazon Route 53, including features, pricing, and more. • AWS Training and Courses – Links to role-based and specialty courses as well as self-paced labs to help sharpen your AWS skills and gain practical experience. API Version 2013-04-01 311 Amazon Route 53 Developer Guide Third-Party Tools and Libraries • AWS Developer Tools – Links to developer tools and resources that provide documentation, code samples, release notes, and other information to help you build innovative applications with AWS. • AWS Support Center – The hub for creating and managing your AWS Support cases. Also includes links to other helpful resources, such as forums, technical FAQs, service health status, and AWS Trusted Advisor. • AWS Support – The primary web page for information about AWS Support, a one-on-one, fast-response support channel to help you build and run applications in the cloud. • Contact Us – A central contact point for inquiries concerning AWS billing, account, events, abuse, and other issues. • AWS Site Terms – Detailed information about our copyright and trademark; your account, license, and site access; and other topics. Third-Party Tools and Libraries In addition to AWS resources, you can find a variety of third-party tools and libraries that work with Amazon Route 53. • Amazon Route 53 to BIND Conversion Tool A BIND zone file describes a DNS zone in a common text-based format. This Perl script converts the XML-formatted text that is returned by the Amazon Route 53 ListResourceRecordSets API action to BIND zone file format. • Amazon Route 53 Zone Creation Tool This Perl script generates CreatedHostedZoneRequest XML for a given zone origin to create a zone in Amazon Route 53. • AmazonRoute53AppsScript (via webos-goodies) Google spreadsheet management of Amazon Route 53. • AWS Component for .NET (via SprightlySoft) SprightlySoft .NET Component for Amazon Web Services with support for REST operations and Amazon Route 53. • BIND to Amazon Route 53 Conversion Tool A BIND zone file describes a DNS zone in a common text-based format. This Perl script converts a BIND zone file to the XML-formatted text that is required by the Amazon Route 53 ChangeResourceRecordSets API action to add or remove records from Amazon Route 53. • Boto API download (via github) Boto Python interface to Amazon Web Services. • cli53 (via github) Command line interface for Amazon Route 53. • Dasein Cloud API Java-based API. • easyRoute53 (easyDNS) GUI tools, registrar services, and zone transfer services. • PHP library for Query-based Amazon Route 53 requests A simple PHP library for interacting with Amazon Route 53. • R53.py (via github) API Version 2013-04-01 312 Amazon Route 53 Developer Guide Graphical User Interfaces Maintains your own canonical version of your DNS configs under source control, and calculates the minimal changeset required to accomplish a DNS change. • RIAForge ColdFusion based components for managing DNS using Amazon Route 53. • RightScripts (via RightScale) Scripts to configure or update your RightScale server for use with Amazon Route 53. • RightScale Support Tutorials RightScale tutorial for domain setup with Amazon Route 53. • route53d DNS front-end to Amazon Route 53 API (enables incremental zone transfer (IXFR)). • Route53Manager (via github) Web-based interface. • Ruby Fog (via github) The Ruby cloud services library. • Valet (via github) Java API, including a one-way-sync utility for Windows DNS server files. • WebService::Amazon::Route53 (via CPAN) Perl interface to Amazon Route 53 API. Graphical User Interfaces The following third-party tools provide graphical user interfaces (GUIs) for working with Amazon Route 53: • • • • easyRoute53 (easyDNS) Nephelai R53 Fox Ylastic API Version 2013-04-01 313 Amazon Route 53 Developer Guide Document History The following table describes the important changes to the documentation since the last release of Amazon Route 53. • API Version – 2013-04-01 • Latest documentation update – May 26, 2016 API Version 2013-04-01 314 Amazon Route 53 Developer Guide The following table describes important changes in each release of the Amazon Route 53 Developer Guide. Change API Version Description Release Date New Features 2013-04-01 May 26, 2016 With this release, Amazon Route 53 adds the following new features: • Domain billing report – You can now download a report that lists all domain registration charges, by domain, for a specified time period. The report includes all domain registration operations for which there is a fee, including registering domains, transferring domains to Amazon Route 53, renewing domain registration, and (for some TLDs), changing the owner of a domain. For more information, see the following documentation: • Amazon Route 53 console – See Downloading a Domain Billing Report (p. 40) • Amazon Route 53 API – See ViewBilling in the Amazon Route 53 API Reference. • New TLDs – You can now register domains that have the following TLDs: .college, .consulting, .host, .name, .online, .republican, .rocks, .sucks, .trade, .website, and .uk. For more information, see Domains that You Can Register with Amazon Route 53 (p. 41). • New APIs for domain registration – For operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain, you can now programmatically determine whether the registrant contact has clicked the link in the confirmation email and, if not, whether the link is still valid. You can also programmatically request that we send another confirmation email. For more information, see the following documentation in the Amazon Route 53 API Reference: • GetContactReachabilityStatus • ResendContactReachabilityEmail API Version 2013-04-01 315 Amazon Route 53 Developer Guide Change API Version Description Release Date New Features 2013-04-01 April 5, 2016 API Version 2013-04-01 316 Amazon Route 53 Developer Guide Change API Version Description With this release, Amazon Route 53 adds the following new features: • Health checks based on CloudWatch metrics – You can now create health checks that are based on the alarm state of any CloudWatch metric. This is useful for checking the health of endpoints that can't be reached by a standard Amazon Route 53 health check, such as instances within an Amazon Virtual Private Cloud (VPC) that have only private IP addresses. For more information, see the following documentation: • Amazon Route 53 console – See Monitoring a CloudWatch Alarm (p. 250) in the "Values that You Specify When You Create or Update Health Checks" topic. • Amazon Route 53 API – See POST CreateHealthCheck and POST UpdateHealthCheck in the Amazon Route 53 API Reference. • Configurable health check locations – You can now choose the Amazon Route 53 health checking regions that check the health of your resources, which reduces the load on the endpoint from health checks. This is useful if your customers are concentrated in one or a few geographic regions. For more information, see the following documentation: • Amazon Route 53 console – See Health checker regions in the "Values that You Specify When You Create or Update Health Checks" topic. • Amazon Route 53 API – See the Regions element for POST CreateHealthCheck and POST UpdateHealthCheck in the Amazon Route 53 API Reference. • Failover in private hosted zones – You can now create failover and failover alias resource record sets in a private hosted zone. When you combine this feature with metric-based health checks, you can configure DNS failover even for endpoints that have only private IP addresses and can't be reached by using standard Amazon Route 53 health checks. For more information, see the following documentation: • Amazon Route 53 console – See Configuring Failover in a Private Hosted Zone (p. 270). • Amazon Route 53 API – See POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. • Alias resource record sets in private hosted zones – In the past, you could create alias resource record sets that route DNS queries only to other Amazon Route 53 resource record sets in the same hosted zone. With this release, you can also create alias resource record sets that route DNS queries to Elastic Beanstalk environments that have regionalized subdomains, Elastic Load Balancing load balancers, and Amazon S3 buckets. (You still can't create alias resource record sets API Version 2013-04-01 317 Release Date Amazon Route 53 Developer Guide Change API Version Description Release Date that route DNS queries to a CloudFront distribution.) For more information, see the following documentation: • Amazon Route 53 console – See Choosing Between Alias and Non-Alias Resource Record Sets (p. 182). • Amazon Route 53 API – See POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. New Feature 2013-04-01 When you create or update HTTPS health checks, you February 23, can now configure Amazon Route 53 to send the host 2016 name to the endpoint during TLS negotiation. This allows the endpoint to respond to the HTTPS request with the applicable SSL/TLS certificate. For more information, see the description for the Enable SNI field in the "Values that You Specify When You Create or Update Health Checks" topic. For information about how to enable SNI when you use the API to create or update a health check, see POST CreateHealthCheck and POST UpdateHealthCheck in the Amazon Route 53 API Reference. New Feature 2013-04-01 You can now register domains for over 100 additional top- January 27, level domains (TLDs) such as .accountants, .band, and 2016 .city. For a complete list of supported TLDs, see Domains that You Can Register with Amazon Route 53 (p. 41). New Feature 2013-04-01 You can now create alias resource record sets that route January 19, traffic to Elastic Beanstalk environments. For information 2016 about creating resource record sets by using the Amazon Route 53 console, see Creating Resource Record Sets by Using the Amazon Route 53 Console (p. 184). For information about using the API to create resource record sets, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. New Features The Amazon Route 53 console now includes a visual editor December 3, that lets you quickly create complex routing configurations 2015 that use a combination of Amazon Route 53 weighted, latency, failover, and geolocation routing policies. You can then associate the configuration with one or more domain names (such as example.com) or subdomain names (such as www.example.com), in the same hosted zone or in multiple hosted zones. In addition, you can roll back the updates if the new configuration isn't performing as you expected it to. The same functionality is available by using the Amazon Route 53 API, AWS SDKs, the AWS CLI, and AWS Tools for Windows PowerShell. For information about using the visual editor, see Using Traffic Flow to Route DNS Traffic (p. 234). For information about using the API to create traffic flow configurations, see Actions on Traffic Policies and Traffic Policy Instances in the Amazon Route 53 API Reference. 2013-04-01 API Version 2013-04-01 318 Amazon Route 53 Developer Guide Change API Version Description Release Date New Features 2013-04-01 October 19, 2015 With this release, Amazon Route 53 adds the following new features: • Domain registration for .com and .net domains by Amazon Registrar, Inc. – Amazon is now an ICANNaccredited registrar for the .com and .net top-level domains (TLDs) through Amazon Registrar, Inc. When you use Amazon Route 53 to register a .com or .net domain, Amazon Registrar will be the registrar of record and will be listed as the "Sponsoring Registrar" in your Whois query results. For information about using Amazon Route 53 to register domains, see Registering Domain Names Using Amazon Route 53 (p. 13). • Privacy protection for .com and .net domains – When you register a .com or .net domain with Amazon Route 53, all of your personal information, including first and last name, is now hidden. First and last name are not hidden for other domains that you register with Amazon Route 53. For more information about privacy protection, see Privacy Protection for Contact Information (p. 22). New Features 2013-04-01 • Calculated health checks – You now can create health September checks whose status is determined by the health status 15, 2015 of other health checks. For more information, see Creating and Updating Health Checks (p. 246). In addition, see POST CreateHealthCheck in the Amazon Route 53 API Reference. • Latency measurements for health checks – You now can configure Amazon Route 53 to measure the latency between health checkers and your endpoint. Latency data appears in Amazon CloudWatch graphs in the Amazon Route 53 console. To enable latency measurements for new health checks, see the Latency measurements setting under Advanced Configuration ("Monitor an endpoint" Only) (p. 250) in the topic Values that You Specify When You Create or Update Health Checks (p. 246). (You can't enable latency measurements for existing health checks.) In addition, see MeasureLatency in the topic POST CreateHealthCheck in the Amazon Route 53 API Reference. • Updates to the health checks dashboard in the Amazon Route 53 console – The dashboard for monitoring health checks has been improved in a variety of ways, including CloudWatch graphs for monitoring latency between Amazon Route 53 health checkers and your endpoints. For more information, see Monitoring Health Check Status and Getting Notifications (p. 255). API Version 2013-04-01 319 Amazon Route 53 Developer Guide Change API Version Description New Documentation 2013-04-01 Release Date The Amazon Route 53 Developer Guide now explains how March 3, to configure white label name servers for Amazon Route 53 2015 hosted zones. For more information, see Configuring White Label Name Servers (p. 165). New Feature 2013-04-01 You now can use the Amazon Route 53 API to list the February 26, hosted zones that are associated with an AWS account in 2015 alphabetical order by name. You can also get a count of the hosted zones that are associated with an account. For more information, see GET ListHostedZonesByName and GET GetHostedZoneCount in the Amazon Route 53 API Reference. New Features With this release, Amazon Route 53 adds the following new features: 2013-04-01 February 11, 2015 • Health Check Status – The health checks page in the Amazon Route 53 console now includes a Status column that lets you view the overall status of all of your health checks. For more information, see Viewing Health Check Status and the Reason for Health Check Failures (p. 255). • Integration with AWS CloudTrail – Amazon Route 53 now works with CloudTrail to capture information about every request that your AWS account (including your IAM users) sends to the Amazon Route 53 API. Integrating Amazon Route 53 and CloudTrail lets you determine which requests were made to the Amazon Route 53 API, the source IP address from which each request was made, who made the request, when it was made, and more. For more information, see Using AWS CloudTrail to Capture Requests Sent to the Amazon Route 53 API (p. 296). • Quick Alarms for Health Checks – When you create a health check by using the Amazon Route 53 console, you can now simultaneously create an Amazon CloudWatch alarm for the health check and specify who to notify when Amazon Route 53 considers the endpoint unhealthy for one minute. For more information, see Creating and Updating Health Checks (p. 246). • Tagging for Hosted Zones and Domains – You can now assign tags, which are commonly used for cost allocation, to Amazon Route 53 hosted zones and domains. For more information, see Tagging Amazon Route 53 Resources (p. 302). New Feature 2013-04-01 You now can use the Amazon Route 53 console to update February 5, contact information for a domain. For more information, 2015 see Values that You Specify When You Register a Domain or Edit Domain Settings (p. 16). API Version 2013-04-01 320 Amazon Route 53 Developer Guide Change API Version Description Release Date New Feature 2013-04-01 You now can specify internationalized domain names when January 22, you're registering a new domain name with Amazon 2015 Route 53. (Amazon Route 53 already supported internationalized domain names for hosted zones and resource record sets.) For more information, see DNS Domain Name Format (p. 2). New Feature 2013-04-01 With this release, you now can edit the comment that you November specified for a hosted zone when you created it. In the 25, 2014 console, you just click the pencil icon next to the Comment field and enter a new value. For more information about changing the comment by using the Amazon Route 53 API, see POST UpdateHostedZoneComment in the Amazon Route 53 API Reference. New Features With this release, Amazon Route 53 adds the following new features: 2013-04-01 • Private DNS for Amazon Virtual Private Clouds–You now can use Amazon Route 53 to manage your internal domain names for Amazon Virtual Private Clouds (VPCs) without exposing DNS data to the public Internet. For more information, see Working with Private Hosted Zones (p. 171). • Health check failure reasons–You can now see the current status of a selected health check, as well as details on why the health check last failed, as reported by each of the Amazon Route 53 health checkers. The status includes the HTTP status code, and failure reasons include information about numerous types of failures, such as string matching failures and response timeouts. For more information, see Viewing Health Check Status and the Reason for Health Check Failures (p. 255). • Reusable delegation sets–You can now apply the same set of four authoritative name servers, known collectively as a delegation set, to multiple hosted zones that correspond with different domain names. This greatly simplifies the process of migrating DNS service to Amazon Route 53 and managing large numbers of hosted zones. Using reusable delegation sets currently requires that you use the Amazon Route 53 API or an AWS SDK. For more information, see Actions on Reusable Delegation Sets in the Amazon Route 53 API Reference. • Improved geolocation routing–We further improved the accuracy of geolocation routing by adding support for the edns-client-subnet extension of EDNS0. For more information, see Geolocation Routing (p. 181). • Support for Signature v4–You can now sign all Amazon Route 53 API requests using Signature version 4. For more information, see Signing Amazon Route 53 API Requests in the Amazon Route 53 API Reference. API Version 2013-04-01 321 November 5, 2014 Amazon Route 53 Developer Guide Change API Version Description Release Date New Features 2013-04-01 July 31, 2014 With this release, you now can do the following: • Register domain names using Amazon Route 53. For more information, see Registering Domain Names Using Amazon Route 53 (p. 13). • Configure Amazon Route 53 to respond to DNS queries based on the geographic location that the queries originate from. For more information, see Geolocation Routing (p. 181). New Features 2013-04-01 With this release, you now can do the following: July 2, 2014 • Edit most values in health checks. For more information, see Creating, Updating, and Deleting Health Checks (p. 245). • Use the Amazon Route 53 API to get a list of the IP ranges that Amazon Route 53 health checkers use to check the health of your resources. You can use these IP addresses to configure your router and firewall rules to allow health checkers to check the health of your resources. For more information, see GET GetCheckerIpRanges in the Amazon Route 53 API Reference. • Assign cost allocation tags to health checks, which also lets you assign a name to health checks. For more information, see Naming and Tagging Health Checks (p. 275). • Use the Amazon Route 53 API to get the number of health checks that are associated with your AWS account. For more information, see GET GetHealthCheckCount in the Amazon Route 53 API Reference. New Fea2013-04-01 ture, Updated Documentation With this release, you can now create health checks and April 30, 2014 use a domain name instead of an IP address to specify the endpoint. This is helpful when an endpoint's IP address either is not fixed or is served by multiple IPs, such as Amazon EC2 or Amazon RDS instances. For more information, see Creating and Updating Health Checks (p. 246). In addition, some information about using the Amazon Route 53 API that formerly appeared in the Amazon Route 53 Developer Guide has been moved. Now all API documentation appears in the Amazon Route 53 API Reference. API Version 2013-04-01 322 Amazon Route 53 Developer Guide Change API Version Description Updated 2013-04-01 Host header value for HTTPS health checks Release Date With this release, Amazon Route 53 passes a different April 18, 2014 value in the Host header when the health check Port value is 443 and the Protocol value is HTTPS. During a health check, Amazon Route 53 now passes to the endpoint a Host header that contains the value of the Host Name field. If you created the health check by using the CreateHealthCheck API action, this is the value of the FullyQualifiedDomainName element. For more information, see Creating, Updating, and Deleting Health Checks (p. 245). New Features 2013-04-01 With this release, you can now view what percentage of April 9, 2014 Amazon Route 53 health checkers are currently reporting that an endpoint is healthy. In addition, behavior of the Health Check Status metric in Amazon CloudWatch now shows only zero (if your endpoint was unhealthy during a given time period) or one (if the endpoint was healthy for that time period). The metric no longer shows values between 0 and 1 reflecting the portion of Amazon Route 53 health checks that are reporting the endpoint as healthy. For more information, see Monitoring Health Checks Using CloudWatch (p. 257). New Features 2013-04-01 With this release, Amazon Route 53 adds the following features: • Health check failover threshold: You can now specify how many consecutive health checks an endpoint must fail before Amazon Route 53 considers the endpoint unhealthy, between 1 and 10 consecutive checks. An unhealthy endpoint must pass the same number of checks to be considered healthy. For more information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). • Health check request interval: You can now specify how frequently Amazon Route 53 sends requests to an endpoint to determine whether the endpoint is healthy. Valid settings are 10 seconds and 30 seconds. For more information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). API Version 2013-04-01 323 February 18, 2014 Amazon Route 53 Developer Guide Change API Version Description Release Date New Features 2013-04-01 January 30, 2014 With this release, Amazon Route 53 adds the following features: • HTTP and HTTPS string-match health checks: Amazon Route 53 now supports health checks that determine the health of an endpoint based on the appearance of a specified string in the response body. For more information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). • HTTPS health checks: Amazon Route 53 now supports health checks for secure, SSL-only websites. For more information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). • UPSERT for the ChangeResourceRecordSets API Action: When creating or changing resource record sets using the ChangeResourceRecordSets API action, you can now use the UPSERT action either to create a new resource record set if none exists with a given name and type, or to update an existing resource record set. For more information, see POST ChangeResourceRecordSets in the Amazon Route 53 API Reference. New Feature 2013-04-01 With this release, Amazon Route 53 adds support for health checks that determine the health of an endpoint based on whether a specified string appears in the response body. For more information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy (p. 254). New Feature 2012-12-12 With this release, Amazon Route 53 adds support for cre- August 14, ating resource record sets by importing a BIND-formatted 2013 zone file. For more information, see Creating Resource Record Sets By Importing a Zone File (p. 230). In addition, CloudWatch metrics for Amazon Route 53 health checks have been integrated into the Amazon Route 53 console and streamlined. For more information, see Monitoring Health Checks Using CloudWatch (p. 257). API Version 2013-04-01 324 January 7, 2014 Amazon Route 53 Developer Guide Change API Version Description New Feature 2012-12-12 With this release, Amazon Route 53 adds support for integrating health checks with CloudWatch metrics so you can do the following: Release Date June 26, 2013 • Verify that a health check is properly configured. • Review the health of a health check endpoint over a specified period of time. • Configure CloudWatch to send an Amazon Simple Notification Service (Amazon SNS) alert when all Amazon Route 53 health checkers consider your specified endpoint to be unhealthy. For more information, see Monitoring Health Checks Using CloudWatch (p. 257). New Feature 2012-12-12 With this release, Amazon Route 53 adds support for cre- June 11, ating alias resource record sets that route DNS queries to 2013 alternate domain names for Amazon CloudFront distributions. You can use this feature both for alternate domain names at the zone apex (example.com) and alternate domain names for subdomains (www.example.com). For more information, see Routing Traffic to an Amazon CloudFront Distribution (Public Hosted Zones Only) (p. 151). New Feature 2012-12-12 With this release, Amazon Route 53 adds support for May 30, 2013 evaluating the health of ELB load balancers and the associated Amazon EC2 instances. For more information, see Amazon Route 53 Health Checks and DNS Failover (p. 245). Updated 2012-12-12 Documentation The documentation about health checks and failover was March 28, rewritten to enhance usability. For more information, see 2013 Amazon Route 53 Health Checks and DNS Failover (p. 245). New Feature 2012-12-12 With this release, Amazon Route 53 adds support for fail- February 11, over and health checks. For more information, see Amazon 2013 Route 53 Health Checks and DNS Failover (p. 245). New Feature 2012-02-29 With this release, Amazon Route 53 lets you create latency March 21, resource record sets. For more information, see Latency- 2012 Based Routing (p. 180). New Feature 2011-05-05 With this release, the Amazon Route 53 console in the December AWS Management Console lets you create an alias re21, 2011 source record set by choosing an Elastic Load Balancer from a list instead of manually entering the hosted zone ID and the DNS name of the load balancer. New functionality is documented in the Amazon Route 53 Developer Guide. API Version 2013-04-01 325 Amazon Route 53 Developer Guide Change API Version Description Release Date New Feature 2011-05-05 With this release, you can use the Amazon Route 53 console in the AWS Management Console to create and delete hosted zones, and to create, change, and delete resource record sets. New functionality is documented throughout the Amazon Route 53 Developer Guide, as applicable. Updated 2011-05-05 Documentation The Amazon Route 53 Getting Started Guide was merged October 18, into the Amazon Route 53 Developer Guide, and the De- 2011 veloper Guide was reorganized to enhance usability. New Feature 2011-05-05 This release of Amazon Route 53 introduces alias resource May 24, 2011 record sets, which allow you to create zone apex aliases; weighted resource record sets; a new API (2011-05-05); and a service-level agreement. In addition, after six months in beta, Amazon Route 53 is now generally available. For more information, see the Amazon Route 53 product page and Choosing Between Alias and Non-Alias Resource Record Sets (p. 182) in the Amazon Route 53 Developer Guide. Initial Release This is the first release of Amazon Route 53 Developer Guide. 2010-10-01 API Version 2013-04-01 326 November 16, 2011 December 5, 2010 Amazon Route 53 Developer Guide AWS Glossary For the latest AWS terminology, see the AWS Glossary in the AWS General Reference. API Version 2013-04-01 327
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Author : Unknown Trapped : False Create Date : 2016:08:09 17:26:25Z Modify Date : 2016:08:09 17:26:25Z Page Count : 333 Page Layout : OneColumn Page Mode : UseOutlines Format : application/pdf Title : Amazon Route 53 Developer Guide Creator : Unknown Producer : XEP 4.18 build 20100322 Creator Tool : DocBook Xsl V 1.76, with Amazon Web Services Internal TweaksEXIF Metadata provided by EXIF.tools