Thoughtfully Migrating Route 53 to Netlify - Preferred Order-of-Operations? is live, hosted in AWS, and's primary nameservers point to Route 53. All DNS management for is done in Route 53. There are 114 records in total, a mix of A, CNAME, and TXT records., as well a unique SOA, MX and NS record. is also live, hosted in Netlify, and's primary nameservers point to Netlify. All DNS management for is done in Netlify’s admin. There are only 3 records at present:

  •, and

which (I believe) follows Netlify’s recommended setup for domains.

Long term goal: cut everything over to Netlify (so an eventual migration of all records is likely in order)

Shorter, more important goal: Cut traffic over to (as well as to, respectively) in the least invasive way possible; that is, disrupt as few of the previous 114 records as possible, so that:

  • subdomains (that aren’t www.) continue to point to existing AWS resources,
  • mail isn’t disrupted (MX, SPF, DKIM),
  • CNAMEs to external sources (eg. don’t have to be changed (yet) and continue to function.

I understand there are multiple ways to do this, but I’m curious if Netlify has a recommended order-of-operations, knowing AWS is involved, there are many subdomains that don’t necessarily have to be touched (yet), etc.

Note: If it wasn’t clear by this point, it’s probably important to point out that is v2 of, even though the domain names are (presently) different…and is a throwaway domain name.

@Wrapmate Welcome to the Netlify community.

I thought I was following you until that last paragraph. If you want to keep Route 53, then get SiteB ready and make the DNS changes with Route 53 when you’re ready. If you want to delegate DNS to Netlify, then someone will have to transfer most of those 114 DNS entries from Route 53 to Netlify and then when ready, change your DNS delegation. The big problem is that your biggest disruption will come from switching to SiteB, and THEN changing its domain name.

At any rate, I refer you to this source:

1 Like

Thanks! I did see that and have it bookmarked.

It sounds like it is possible just to point and directly over to Netlify while still retaining the majority of DNS in Route 53 (to start), so perhaps this can be a staggered migration (unless anyone can think of a reason why that wouldn’t work).

@Wrapmate It depends on what you mean by “staggered.” You can delegate only one set of name servers per custom domain, so whichever set of name servers you delegate are the ones in control … until you delegate to different name servers and those changes have to propagate.

“Staggered” in the sense that there is a possible phased path forward that looks something like:


  • Nameservers continue to point to AWS
  • In R53, and are CNAMEs that can be pointed to a Netlify resource:
  • All remaining subdomains continue to behave as normal.


  • Nameservers are updated to point to Netlify
  • The remaining 112 records are recreated in Netlify, but (in most of the entries) point back to AWS resources (which is basically the reverse of P1)

…if this is possible.

@Wrapmate Yep, that should work.

As this is still a project-in-motion, an interesting (concerning?) issue arose.

I cut the DNS management over to Netlify on Monday and have migrated all the records over, pointing them back to their respective AWS endpoints. I also tried experimenting by setting up and simply pointing it to the new site that is being built in Netlify.

Initially, there was an SSL security violation – but now there isn’t…and I feel like there should be, so I’m not exactly clear what I’m missing. To review:

  • has a valid wildcard cert issued to it (by Netlify)
  • has a valid wildcard cert issued to it (by AWS)
  • is just a CNAME to

…so, if I created a subdomain on…and pointed it to…shouldn’t the browser warn me that the cert is valid, but it doesn’t match the apex domain typed into the location bar?

Why does this work? What am I missing here…

Without knowing specifics about your site, if you’re using Netlify DNS, we may have grabbed a wildcard SSL cert.

A utility like SSL Certificate Checker - Diagnostic Tool | should tell you how it thinks it’s working :slight_smile: