Migrating Route 53 registered domains and hosted zones to another AWS account.

Organisations are moving from single AWS account to a well-architected multi-account AWS environment and we need to migrate stuff from one AWS account to another AWS account for better management. In this post, let’s see how to transfer Route 53 registered domains to another account and how to migrate hosted zones to another account using AWS CLI.

Let’s assume company ABC Ltd. uses AWS account A to configure domain names and hosted zones and company wants to move these configuration to AWS account B. The following describes details steps for migration from account A to account B.

Step I - AWS CLI set up.
Install AWS CLI version 2 and create profiles to connect account A and account B as follows.

aws configure --profile accountA 
AWS Access Key ID [None]: <Enter account A access Key> 
AWS Secret Access Key [None]: <Enter account A secret access key>  
Default region name [None]: us-east-1 
Default output format [None]: text
aws configure --profile accountB 
AWS Access Key ID [None]: <Enter account B access Key> 
AWS Secret Access Key [None]: <Enter account B secret access key>  
Default region name [None]: us-east-1 
Default output format [None]: text

Note AWS Route 53 is primarily a global service and use the default region as us-east-1 in CLI configuration.

Step II - Initiate Domain Transfer Request
First Initiate the transfer request on account A as follows.

aws route53domains transfer-domain-to-another-aws-account \
   --region us-east-1 \
   --domain-name <domain-name> --account-id <account-id> \
   --profile accountA

you need to provide the following;
domain-name: Name of domain you want to transfer.
account-id: account ID of AWS account to which you want transfer domain. In this case, account ID of account B,

On execution of above command, you will the output as follow.

{
    "OperationId": "09bbbc48-2b96-424b-870c-3670e4d98e12",
    "Password": "xxxxxxxxx"
}

Step III - Accept Domain Transfer Request
Accept the domain transfer request from account B as follows.

aws route53domains accept-domain-transfer-from-another-aws-account \
   --region us-east-1 \
   --domain-name <domain-name> \ 
   --password "<password>"
   --profile accountB

you need to provide the following;
domain-name: Name of domain you want to transfer.
Password: password you get form transfer request output in step II.

On execution of above command, you will the output as follow.

{
  "OperationId": "1b9fcde4-dd7e-47aa-8392-d183c86c05fe"
}

Step IV - Create Hosted Zone
Create new hosted zone in account B as follows.

aws route53 create-hosted-zone \
  --name <domain-name> 
  --caller-reference <unique-string>
  --hosted-zone-config Comment="<description>",PrivateZone=false 
  --profile accountB

you need to provide the following;
domain-name: Name of domain
unique-string: unique string to identify the request
description: any description about this hosted zone.

Above command is to create public hosted zone and domain name should be registered with DNS register. If you want to create private DNS, you need to set PrivateZone=true

On execution of above command, you will the output as follow.

{
    "Location": "https://route53.amazonaws.com/2013-04-01/hostedzone/Z0940328EZ1TKC7LE8C7",
    "HostedZone": {
        "Id": "/hostedzone/Z0940328EZ1TKC7LE8C7",
        "Name": "<domain-name>.",
        "CallerReference": "<unique-string>",
        "Config": {
            "Comment": "<description>",
            "PrivateZone": false
        },
        "ResourceRecordSetCount": 2
    },
    "ChangeInfo": {
        "Id": "/change/C02994291L8CWEA042DKB",
        "Status": "PENDING",
        "SubmittedAt": "2021-03-20T21:18:48.141000+00:00"
    },
    "DelegationSet": {
        "NameServers": [
            "ns-30.awsdns-03.com",
            "ns-1374.awsdns-43.org",
            "ns-1707.awsdns-21.co.uk",
            "ns-858.awsdns-43.net"
        ]
    }
}

Step V - Get hosted zone ID
Get hosted zone ID for the hosted zone that you want to migrate in Account A as follows.

aws route53 list-hosted-zones-by-name \
--dns-name "<domain-name>" 
--profile accountA | grep -m 1 Id 

you need to provide the following;
domain-name: Name of domain you want to transfer.

On execution of above command, you will the output as follow.

"Id": "/hostedzone/Z06444843ETO7X4MA2AXA",

Note the highlighted hosted zone ID and we need it the following command.

Step VI - Create file with hosted zone records
Create a file that contains records of hosted zone you want to migrate as follows.

aws route53 list-resource-record-sets \
  --hosted-zone-id Z06444843ETO7X4MA2AXA 
  --profile accountA > list-records-Z06444843ETO7X4MA2AXA.txt

hosted-zone-id - the ID of the hosted zone that you got in step V

Here, we are creating file, list-records-Z06444843ETO7X4MA2AXA.txt which contains list of records in the hosted zone you want to migrate.

Sample file looks like as below.

Step VII - Edit the recored in the file.
The file created in step VI needs to be edited as follows and use it to create records in new hosted zone.

1. Delete the NS and SOA records as the new hosted zone will have these records by default.
   Delete lines from 25 to 53 in the sample file.
2. Replace the first 2 lines with following.
   {
   “Comment”: “Migrating records from accountA to accountB”,
   “Changes”: [
3. For each record, add an Action, a ResourceRecordSet element and opening and closing bracket {} as shown below.

{
    “Action”: “CREATE”,
    “ResourceRecordSet”:
     {
        “Name”: “dev-apps.<domain-name>.”,
        “Type”: “A”,
        “AliasTarget”: {
            “HostedZoneId”: “Z2FDTNDATAQYW2”,
            “DNSName”: “d3duts780b3zd.cloudfront.net.”,
            “EvaluateTargetHealth”: false
         }
     }
},

Edited sample files looks like as follows.

This file can contain a maximum of 1000 records. If you have more 1000 records, you need to split the file.

Step VII- Create records in new hosted zone
Create records in new hosted zone in account B as follows.

aws route53 change-resource-record-sets \
   --hosted-zone-id Z0940328EZ1TKC7LE8C7
   --change-batch file://~/list-records-Z06444843ETO7X4MA2AXA.txt 
   --profile accountB

hosted-zone-id - the ID of the hosted zone that you created in step IV
change-batch - file with edited records.

Step IX - Compare records.
Compare records in hosted zone in account A with the one newly created in account B and create manually via console if anything missing. You can compare them by creating files with list of recored as follows.

aws route53 list-resource-record-sets \
  --hosted-zone-id Z06444843ETO7X4MA2AXA 
  --profile accountA > list-records-account-a.txt
aws route53 list-resource-record-sets \
  --hosted-zone-id Z0940328EZ1TKC7LE8C7 
  --profile accountB > list-records-account-b.txt

Step X - Update domain registration.
Finally update domain registration with the new hosted zone name servers as follows.

aws route53domains update-domain-nameservers \
    --region us-east-1 \
    --domain-name <domain-name> \
    --nameservers Name=ns-30.awsdns-03.com Name=ns-1374.awsdns-43.org Name=ns-1707.awsdns-21.co.uk Name=ns-858.awsdns-43.net

you need to provide the following;
domain-name: Name of domain you transferred.
nameservers: name of the name servers which you can get it from step IV. Create hosted zone output contains name server details.

On execution of above command, you will the output as follow.

{
    "OperationId": "f1691ec5-0e7a-489e-82e0-b19d3adsf"
}

Now you have completely migrated registered domain name and hosted zone from account A to account B. But you have to wait for 2 days for DNS resolvers to start using the new hosted zone. After that you can delete hosted zone from account A.