Domain Cutover Checklist: [domain.com]
Replace all text in [brackets] with your content. Delete this callout when done. DNS changes can take time to propagate - plan accordingly.
Cutover Overview
Domain: [domain.com]
Current Provider: [Current registrar/DNS provider]
New Provider: [New registrar/DNS provider]
Cutover Type:
- DNS only (registrar stays same)
- Full domain transfer (registrar + DNS)
- Subdomain cutover only
Scheduled Date: [YYYY-MM-DD HH:MM UTC]
Expected Propagation: [24-48 hours typical]
Rollback Window: [Time window where rollback is safe]
Pre-Cutover Preparation
Documentation & Planning
-
Current DNS records documented
- All A records exported
- All CNAME records exported
- All MX records exported
- All TXT records exported (SPF, DKIM, DMARC, verification)
- All SRV records exported
- All NS records exported
- TTL values noted
# Export current DNS
dig domain.com ANY +noall +answer > dns_backup_YYYYMMDD.txt -
DNS audit completed
- All records identified and purpose documented
- Unused records marked for cleanup
- Critical records flagged
- Third-party verifications noted (Google, Microsoft, etc.)
-
New DNS configuration prepared
- All records configured in new provider
- Records verified in staging/test environment
- DNS syntax validated
- IPv6 records included (if applicable)
-
Dependencies mapped
- Email systems identified
- Subdomains cataloged
- CDN dependencies noted
- API endpoints documented
- Third-party integrations listed
TTL Reduction
Reduce TTL values 24-48 hours before cutover to speed up propagation.
-
TTL reduced to minimum
- Current TTL: [e.g., 86400 = 24 hours]
- Reduced to: [e.g., 300 = 5 minutes]
- Reduction applied: [Date/Time]
- Wait period completed: [Minimum 2x old TTL]
-
TTL reduction verified
dig domain.com | grep "IN\s*[0-9]*\s*A"
# Should show reduced TTL value
Access & Credentials
-
Access verified
- Current DNS provider login: ✅
- New DNS provider login: ✅
- Domain registrar login: ✅
- Registrar lock status checked
- Auth codes available (if transferring)
-
Transfer preparation (if moving registrar)
- Domain unlocked at current registrar
- Transfer auth code obtained
- WHOIS privacy disabled temporarily
- Email address verified
- Transfer initiated at new registrar
Testing Environment
-
Test subdomain configured
- test.domain.com configured with new DNS
- Test records verified working
- Propagation tested
- Time to propagate noted: [Duration]
-
Hosts file testing performed
- Critical paths tested with new IPs
- SSL certificates verified
- Application functionality confirmed
# Test with hosts file entry
echo "NEW.IP.ADD.RESS domain.com" >> /etc/hosts
curl https://domain.com
SSL/TLS Certificates
-
Certificate status verified
- Current cert valid until: [Date]
- Cert type: [Let's Encrypt, DigiCert, etc.]
- Cert renewal method: [Auto/Manual]
- Wildcard cert: [Yes/No]
-
New certificates prepared
- Certificates issued for new infrastructure
- Certificates installed on new servers
- Certificate chain complete
- HTTPS working on new infrastructure
# Verify cert
openssl s_client -connect domain.com:443 -servername domain.com -
Certificate renewal process updated
- DNS validation configured (if used)
- HTTP validation accessible (if used)
- Auto-renewal tested
Email Configuration
Email is often the most impacted by DNS changes. Plan carefully.
-
Current email setup documented
- MX records: [List all with priority]
- SPF record: [Value]
- DKIM records: [Selectors and values]
- DMARC record: [Value]
- Email provider: [Provider name]
-
Email migration plan
- Email stays with current provider (only MX records in new DNS)
- Email moves to new provider (requires full migration)
- Email testing method defined
-
Email testing completed
- Test email sent through new configuration
- Test email received
- SPF check passes
- DKIM signature valid
- DMARC policy applied correctly
- No spam classification
Monitoring & Alerting
-
Monitoring configured
- DNS monitoring for domain.com
- Uptime monitoring for all endpoints
- SSL certificate monitoring
- Email delivery monitoring
- Alert thresholds set
-
Health checks baseline recorded
- Current response times documented
- Current uptime percentage
- Current error rates
- Traffic patterns noted
Communication
-
Stakeholders notified
- Internal teams: [Date notified]
- Customers: [Date notified / Not needed]
- Support team: [Date briefed]
- Status page: [Updated]
-
Change window announced
- Maintenance window: [Start - End time]
- Expected impact: [None / Minimal / Moderate]
- Rollback plan communicated
Cutover Execution
Pre-Cutover Validation
-
Final go/no-go check
- All preparation tasks complete
- Team ready and available
- No conflicting changes scheduled
- Rollback plan ready
-
Current state snapshot
- DNS records exported (final backup)
- Screenshot of current DNS config
- Current nameservers: [List]
- Timestamp: [YYYY-MM-DD HH:MM UTC]
DNS Changes
-
Nameserver update (if applicable)
- New nameservers entered at registrar:
- ns1: [new-ns1.provider.com]
- ns2: [new-ns2.provider.com]
- ns3: [new-ns3.provider.com]
- Change submitted: [HH:MM UTC]
- Confirmation received: [HH:MM UTC]
- New nameservers entered at registrar:
-
DNS records updated (if only DNS change)
- A record: [domain.com → New IP]
- WWW CNAME: [www.domain.com → Updated]
- MX records: [Updated / Unchanged]
- TXT records: [Updated / Unchanged]
- Other records: [List any changes]
- Update submitted: [HH:MM UTC]
Immediate Verification
-
DNS propagation started
- Check from cutover location:
dig domain.com @8.8.8.8
dig domain.com @1.1.1.1
nslookup domain.com - New values returned: ✅/⏳
- Timestamp: [HH:MM UTC]
- Check from cutover location:
-
Critical services responding
- Main website (domain.com): ✅
- WWW subdomain: ✅
- API endpoint: ✅
- Email (send test): ✅
Verification Phase
DNS Propagation Monitoring
-
Propagation checks (first hour)
- Check every 5 minutes
- Google DNS (8.8.8.8): [HH:MM - Status]
- Cloudflare DNS (1.1.1.1): [HH:MM - Status]
- Local ISP DNS: [HH:MM - Status]
- Use online tools: whatsmydns.net
-
Global propagation verification
- Check from multiple locations
- Use: https://www.whatsmydns.net/
- North America: ✅
- Europe: ✅
- Asia: ✅
- Australia: ✅
-
Propagation complete
- All major DNS resolvers show new values
- Time to full propagation: [Duration]
- Any stragglers noted: [List]
Functionality Testing
-
Website functionality
- Homepage loads: ✅
- All pages accessible: ✅
- Assets loading correctly: ✅
- Forms working: ✅
- Search working: ✅
- Login/Authentication: ✅
-
SSL/TLS verification
- HTTPS working: ✅
- No certificate warnings: ✅
- Certificate valid for domain: ✅
- Certificate chain complete: ✅
- SSL Labs test: [Grade]
-
API endpoints verified
- Authentication working: ✅
- Rate limiting functional: ✅
-
Email verification
- Send test email: ✅
- Receive test email: ✅
- Check spam folder: ✅
- SPF passes: ✅
- DKIM signature valid: ✅
- DMARC passes: ✅
# Verify email DNS
dig domain.com MX +short
dig default._domainkey.domain.com TXT +short
dig _dmarc.domain.com TXT +short -
Subdomain verification
Performance Testing
-
Performance metrics
- DNS lookup time: [X ms]
- Page load time: [X seconds]
- API response time: [X ms]
- Compare to baseline: [Better/Same/Worse]
-
Load testing (if applicable)
- System handles expected load: ✅
- No performance degradation: ✅
- CDN working correctly: ✅
Third-Party Integrations
-
External services verified
-
Webhooks functioning
Rollback Procedures
Rollback if: DNS not resolving, major functionality broken, email not working, SSL issues, or propagation issues causing widespread problems.
Rollback Decision
-
Rollback criteria
-
Rollback decision made by: [Name]
-
Rollback time: [HH:MM UTC]
Rollback Execution
-
Revert nameservers (if changed)
- Login to registrar
- Change back to old nameservers:
- ns1: [old-ns1.provider.com]
- ns2: [old-ns2.provider.com]
- Change submitted: [HH:MM UTC]
- Wait for propagation
-
Revert DNS records (if DNS only change)
- Restore all records to previous values
- Use backed up configuration
- Verify records match backup
- Change submitted: [HH:MM UTC]
-
Rollback verification
- DNS resolving to old values: ✅
- Services accessible: ✅
- Propagation monitored
- Time to rollback completion: [Duration]
-
Rollback communication
- Team notified
- Stakeholders informed
- Status page updated
- Post-mortem scheduled
Post-Cutover Phase
Monitoring Period
-
Enhanced monitoring (24-48 hours)
- DNS resolution monitored continuously
- Uptime monitored
- Error rates monitored
- Alert channels watched
- Team on standby
-
TTL restoration scheduled
- Wait period: [24-48 hours after cutover]
- Restore TTL to normal: [e.g., 3600 or 86400]
- Scheduled date: [YYYY-MM-DD]
Cleanup
-
Old DNS provider cleanup
- Retention period: [Keep old DNS for X days]
- Old records archived
- Scheduled termination: [Date]
- Credentials rotated
-
Domain transfer completion (if applicable)
- Transfer completed: [Date]
- Domain locked at new registrar
- WHOIS privacy re-enabled
- Auto-renewal configured
-
Documentation updated
- System profiles updated with new DNS info
- Runbooks updated
- Connection strings updated (if needed)
- Team wiki updated
Validation Checks
-
Day 1 checks
- No issues reported: ✅
- All services operational: ✅
- Email flowing normally: ✅
- No customer complaints: ✅
-
Day 3 checks
- Global propagation complete: ✅
- All monitoring green: ✅
- Performance normal: ✅
- No anomalies detected: ✅
-
Week 1 checks
- TTL restored to normal: ✅
- Old DNS provider deactivated: ✅
- All integrations stable: ✅
- Team confident in cutover: ✅
Post-Cutover Review
-
Retrospective completed
- Date: [YYYY-MM-DD]
- What went well
- What could be improved
- Unexpected issues
- Lessons learned
-
Documentation finalized
- Cutover report written
- Timeline documented
- Issues and resolutions documented
- Recommendations for future cutovers
Success Criteria
- DNS resolving to new values globally
- All services fully functional
- Email sending and receiving normally
- SSL certificates valid and working
- No increase in error rates
- No customer-impacting issues
- Performance meets or exceeds baseline
- Rollback not needed
Timeline Log
| Time (UTC) | Event | Notes |
|---|---|---|
| [HH:MM] | TTL reduced | To 300 seconds |
| [HH:MM] | Cutover started | |
| [HH:MM] | Nameservers updated | |
| [HH:MM] | First propagation detected | Google DNS |
| [HH:MM] | 50% propagation | |
| [HH:MM] | Full propagation | |
| [HH:MM] | All tests passed | |
| [HH:MM] | Cutover declared success | |
| [HH:MM] | TTL restored | To 3600 seconds |
DNS Records Reference
Current (Old) DNS
; A Records
domain.com. IN A OLD.IP.ADD.RESS
www.domain.com. IN A OLD.IP.ADD.RESS
; MX Records
domain.com. IN MX 10 mail.provider.com.
; TXT Records
domain.com. IN TXT "v=spf1 include:provider.com ~all"
New DNS
; A Records
domain.com. IN A NEW.IP.ADD.RESS
www.domain.com. IN A NEW.IP.ADD.RESS
; MX Records
domain.com. IN MX 10 mail.newprovider.com.
; TXT Records
domain.com. IN TXT "v=spf1 include:newprovider.com ~all"
Team & Contacts
| Role | Name | Contact | Availability |
|---|---|---|---|
| Cutover Lead | [Name] | [Phone/Slack] | [Hours] |
| DNS Admin | [Name] | [Phone/Slack] | [Hours] |
| DevOps | [Name] | [Phone/Slack] | [Hours] |
| Email Admin | [Name] | [Phone/Slack] | [Hours] |
Emergency Escalation: [Name, Contact]
Related Documentation
- [System Profile: [Domain/Service]]
- [DNS Management SOP]
- [Email Configuration Guide]
- [SSL Certificate Management]
Checklist Version: 1.0 Last Updated: [YYYY-MM-DD] Cutover Status: Planning / In Progress / Complete / Rolled Back