Domain Transfer, Dyn.com to Hurricane Electric

James F. Carter <jimc@jfcarter.net>, 2019-08-23

Since 2011-06-13, CouchNet has been using Dynamic Network Services Inc. (dyn.com) as our DNS provider, with excellent service. However, Oracle swallowed dyn.com in about 2017 and they are now transferring Dyn Standard DNS customers (that's us) to their own service, plus the rest of the Dyn customers. Jimc is getting kicked off the dyn.com service, thinks Oracle is a pack of weasels, and would prefer to switch to a new provider other than Oracle.

Requirements for the new provider:

The IPv4 address for jfcarter.net is non-static (aleatory), and there must be some kind of API to update it dynamically. I'm currently using ddclient with dyn.com.
The domain is currently set up with an "A" record (also AAAA, MX, etc.) for the second level name, jfcarter.net. I would prefer not to have to change that in the middle of switching providers.
My zone has about 20 records, a modest number.
Number of queries (to dyn.com) during 2019-07-xx: 6.3e4 which is 8% of their limit for my tier of 7.5e5/month.
I don't have strict requirements for a short TTL. Dyn.com used 600sec as the default and I left it there; at Mathnet we used 24 hours.
Short downtime is acceptable in the transition to the new provider.

Which Provider Should I Switch To?

A search on Google for "dynamic dns provider comparison" delivers these comparison articles. They seem to concentrate on free services.

Dynamic DNS: is it still useful, or is it now irrelevant?

(2018-03-27 by Kevin Bowyer.) Yes it's still relevant for a surveillance or home monitoring camera network. He mentions dyn.com and No-IP as dynamic DNS providers.

What's the right solution for dynamic DNS these days?

(2017-12-08, OP Jehos "the Hutt".)

OminousPonderer uses Namecheap; he switched from dyn.com when they changed to non-free.
Xelas is using noip.org, free tier. They send you mail once a month asking if you're alive and you have to follow a link in the mail.
trend900 is using duckdns.org . To update, you do a https connection from the host being updated to their server with a query-string authenticator.
OP ended up using FreeMyIP.com .
CatBus, reading this thread, also went with FreeMyIP.com and likes it.
overstitch mentions a free plan with Cloudflare and also Hurricane Electric.

Best DDNS Providers?

(2017-06-11, OP Lec8316.)

dbeato uses NoIP or DynDNS, preferring NoIP.
Several others mention NoIP and DynDNS.
Breffni Potter suggests looking at zerotier.com which is some kind of alternative to a static public IP. VPNs from each of your devices to their server, you get virtual network interfaces and can configure a virtual switch any way you want. I didn't read far enough to see if you can buy a static public IP for your switch.
2 people mention afraid.org .

10 Best Free DNS Hosting Providers

(2018-10-10, by Brian Jackson.) He starts with an explanation of what DNS is and why a competent provider is important. Then the recommendations "in no particular order". He concludes by saying that by quantitative metrics, the free services are excellent and at a similar level as the paid providers.

Hurricane Electric — 100% free DNS hosting.
Cloudflare — They're a DDoS service, and DNS is a component of that. Free tier.
Rackspace — They're a big co-location service, and DNS is part of that.
FreeDNS — Appears to be afraid.org. Inception 2004, good reputation, moderately big company.
ClouDNS — Not a lot of info on ClouDNS.
GeoScaling — Includes redirecting users by various criteria including geographic.
Namecheap — Their forte is domain name registration but are mentioned as a dynamic DNS service also.
1984 — Web hosting company with a free DNS service. Comment poster says customer service is awful.
BuddyNS — Mainly for secondary DNS.
Dynu — Inception 1997. "Forever free" plan with modest capabilities.

Transferring to Hurricane Electric

I'm already using Hurricane Electric for IPv6 tunneling, with excellent service. (But I switched for reasons that were no fault of Hurricane Electric.) Obviously, if Hurricane Electric can support my domain, I should use them. So what can I get them to do for me? They have their own DNS servers, with dynamic updates, and they have a front end to Register.com for domain registration.

Hurricane Electric's domain registration service is called HurricaneNames.net. You need to create a separate account on it. They will want a loginID, password, and answer for a security question, e.g. your favorite pet. They also want contact information: full name, e-mail, physical address, phone number. This information will be posted publicly in the WHOIS database as the contact person for your newly registered domain.

Here's the rather complicated procedure to transfer the domain, as seen by me. Navigation details are specific for Hurricane Electric and Dyn.com, but the general workflow probably will be similar for other registrars.

Account and Preparation on the New Registrar

You will need an account on dns.he.net, Hurricane Electric's DNS service. This identity is recognized on all Hurricane Electric services except HurricaneNames.net, which is a front end to Register.com.
Contact Customer Support on your new registrar (Hurricane Electric), tell them you are importing a domain, and ask them for a transfer credential. This is a TXT record with a particular key (domain name) which they look for, and a securely hashed value (in quotes). It proves to the new registrar that the person importing the domain is its owner, i.e. the person who can manage the domain on the old registrar. I actually did this step later after seeing the relevant error message.

Prepare and Unlock on the Old Registrar

Log in to your current (soon to be former) registrar (Dyn.com).
Make sure they have your current e-mail address; they will be sending you mail that you need to respond to.
Navigate to Managing Your Domain.
Download a copy of your zone file if possible, or make a backup copy of your zone's content by hand.
Insert the TXT record that the new registrar gave you.
Unlock the domain, i.e. allow it to be transferred. The checkbox is on the same page in the header area.
At least on Dyn.com, the EPP code will then be shown. This is a credential by which the new registrar proves to the old registrar that the domain owner (someone who can log in to the old registrar's pages) intentionally authorized the transfer. It is 11 random printable bytes, about 64 bits of entropy. Copy it down.

Transfer the Domain to the New Registrar

Turn back to the new registrar's site.
Find Credit Card Settings and add or check your payment method.
Back on the main page, pick Transfer.
Give the domain name, comma, EPP code. Domain transfer settings were left at the defaults:
- Declined RCOM Shield ID Protect for $8/yr
- Transfer verification: auto (vs. FAX)
- Yes registrar lock
- Yes auto renew
- Declined access password.
Hit "Transfer Domains".
Confirm the EPP code
The Price: $28.91 for 1 year; agree to the terms of service.
Copy down your order confirmation number.
To check the order, see "My Reports" under "Transfers In".
It took about 2 hours to proceed from "Transfer Initiated" to "Awaiting Confirmation" and about 4 more hours to "Domain is off dyn.com" (e-mail) and "Transferred and Paid Successfully".

Expediting the Transfer

Weasels! Dyn.com sent me e-mail saying if you want to cancel the transfer, follow this link, but if we don't hear from you by 2019-08-30 (in 6 days), the transfer will proceed.
Oh, good, on the domain name registration page (dyn.com) buttons have appeared to deny the transfer, or to approve it immediately. Click.
"Domain jfcarter.net will be deleted from Dyn in the next 24 hours."

Populating and Activating Your Domain

Once your order has advanced to "Transferred and Paid Successfully", navigate to dns.he.net, Hurricane Electric's DNS service. Log in using your Hurricane Electric loginID and password.
Upload your zone file if possible, except I didn't figure out how to do that, so I entered all my records by hand. The SOA and NS records are prefilled; leave them alone.
Return to HurricaneNames.net. Manage your domain.
Scroll down to DNS Servers. There is an editable list of NS records whose values are your assigned nameservers on the old DNS service (Dyn.com). Edit them to point to your nameservers on the new DNS service (ns[1-5].he.net). Save your changes and confirm.
In less than 5 minutes, the new NS values appeared in the WHOIS database and had been pushed to the TLD apex nameservers for .net, my TLD. I checked on a.gtld-servers.net and several others. It is very believable that other registrars might take longer to update WHOIS and the apex NSs. On UNIX/Linux, the commands to check WHOIS and the TLD server are:
whois -H jfcarter.net
dig @a.gtld-servers.net. jfcarter.net. NS
The domain transfer process is now complete. However, there is a TTL of 2 days on the glue records (NSs on the apex servers) and you will need to wait for the TTL to expire on recursive DNS forwarders before your net and your various peers will start using the new DNS service. If you have to change zone records in this interval, do it on both DNS services.

Hurricane Electric DNS Service

The free DNS service is at https://dns.he.net/ . It looks like there's more than enough technical capability for my net. There's a quantitative limit of 50 zones on the free service. In my case this includes the reverse zone for my Tunnelbroker.net tunnel. What about bulk upload and download (backups)? (Same for Dyn.)

On dyn.com for the domain jfcarter.net (2019-08-24), queries during 2019-07-xx: 6.3e4 which is 8% of the limit for my tier of 7.5e5/month. TTL is 600 sec for all records.

Forum posts say it is possible to make dns.he.net do a AXFR to suck a zone from a specified nameserver. But I couldn't find a working procedure. An alternative is to download a copy of your zone file — also as a backup copy. I know how to do that on Dyn.com but I haven't found the procedure on dns.he.net yet, and then I would have to upload the file which I also don't know how to do. I populated my zone by hand. Here are some details from the process:

How to fill out the "A" record form for jfcarter.net:
- Name: jfcarter.net. FQDN with the ending dot; without the dot the zone name is appended e.g. jacinth -> jacinth.jfcarter.net.
- IPv4: 47.156.153.86 dotted quad decimal
- TTL: 86400 (is the default). Pick from the dropdown list.
- Enable for DDNS: check the box. Growl, it overrides explicit entries with TTL=300, data=127.0.0.1. Fix those.
A similar AAAA record but no DDNS, they got it right the first time.
On the form, the RRs are sorted by type (lexically but SOA and NS first) and within that, lexically by FQDN.
SRV record, click "Additional" and pick SRV from the drop-down list. "Nanny" disallowed _xmppconnect.jfcarter.net SRV, it checks for protocol. Omit this record, the key is deprecated.
Presently, jacinth.jfcarter.net is a CNAME for jfcarter.net, which is bogus because its IPv6 addr is on Surya. I'm going to create a separate "A" record with dynamic updating, and a separate AAAA with the correct address.
There are 2 MXs: jfcarter.net -> Mailroute, and smtp.jfcarter.net -> jfcarter.net. Spammers send mail to Mailroute because of the first MX, and Mailroute sends via the second one.
All SRV records to services on Jacinth will point to jacinth.jfcarter.net.
Confirmed, ns1.he.net is serving these records.

Hurricane Electric supports some modern RR types that I have not used before. Which of these should I add?

ALIAS — Like a CNAME for a domain apex, but only for 'A' and AAAA records, whose values are taken (by the server, not the client) from the referent domain. Other records like SOA, NS, MX are still sought under the domain apex, whereas with a CNAME they would be sought under the referent, which is totally bogus and is the reason CNAMEs are illegal as domain apexes. Later I may switch to this modern style, but not in the middle of a big project.
CAA — Certificate Authority Authorization. Added this. Key: jfcarter.net. Value: 0 issue "diamond.cft.ca.us". This means that only Diamond is allowed to issue a host certificate for any domain name within the zone on which the CAA is set, and reputable other CAs will refuse to do so. But disreputable CAs are not deterred.
AFSDB — Andrew File System server locations. Irrelevant.
HINFO — Host info: CPU and OS type, RFC 883. Squishy privacy and security issues, and few sites either publish or look at HINFO, Don't wake sleeping dragons.
RP — Email address of the contact person for the domain. Tempting, but it's clearly a spam magnet, and I think it's rarely published or looked at.
LOC — Geographical location of domain. Added this. Key: jfcarter.net. Value: 34 1 N 118 26 W 42m 30m
NAPTR — To rewrite domain names, RFC 3403 + 2915. Example and major use case: map a phone number to a SIP URL. Irrelevant for my net.
SSHFP — SSH key fingerprint of a host, RFC 4255. This would be really cool if properly set up, and saves nasty maintenance of ~user/.ssh/known_hosts which is always missing new hosts, but setting it up will be a big job, so I'm going to defer this.
SPF — Sender Policy Framework (RFC 4408, deprecated in RFC 7208). Irrelevant.

Setting Up Dynamic DNS

Next step is to set up DDNS for jfcarter.net and jscinth.jfcarter.net . On my net the wild side IP address of Jacinth is not fixed (is aleatory), and when my ISP changes it, I need to update the A record for this host and its alias, which is what dynamic DNS is for. In my case the IPv6 address is fixed, but dynamic DNS could be used for IPv6 also. A search on Google produces: Getting Started with Dynamic DNS

The domain (FQDN) to get DDNS must have a unique address, i.e. only one "A" record and one AAAA. Otherwise the updater will pick one in a way never to your advantage.
Edit your record and mark the DDNS checkbox. This will change the TTL to 300 sec and the value to localhost (127.0.0.1 or ::1); fix at least the value.
On the zone listing, click on the arrow circle icon and fill in a (strong) password that you create, or hit generate and it will give you 16 bytes of random base64. For tha "A" and AAAA record for one FQDN, you may (probably must) use the same password,
Tell your dynamic update client to use the same protocol that dyndns uses (so they say).
They show how the API works, with four variants. Basically you're going to make a HTTPS query to the server which includes the new IP address. In these examples, $FQDN = the domain (hostname) to be updated, which goes in the username slot; $PW = password; $IP = IPv4 address as dotted decimal quad or IPv6 address as hex, no [ ]; AF = address family, 4 or 6. Curl is shown to make the query but any querier like ddclient can be used. Only update the address when you know that it has changed; frequent identity transformations are considered to be abusive.
- GET method, basic auth; the querier's IP address is the new value.
  curl -$AF "https://$FQDN:$PW@dyn.dns.he.net/nic/update?hostname=$FQDN"
- GET method, basic auth with an explicit IP address.
  curl "https://$FQDN:$PW@dyn.dns.he.net/nic/update?hostname=$FQDN&myip=$IP"
- GET method, password in the query string (vs. the host segment).
  curl "https://dyn.dns.he.net/nic/update?hostname=$FQDN&myip=$IP&password=$PW"
- POST method, which avoids the need to URL-encode things
  curl "https://dyn.dns.he.net/nic/update" -d "hostname=$FQDN" -d "myip=$IP" -d "password=$PW"
Here's the stanza in /etc/ddclient.conf for updating jacinth.jfcarter.net . Note the FQDN is duplicated as the login parameter. This means that you need a separate stanza for multiple FQDNs; you can't use a comma-separated list of FQDNs all to be updated to the same IP.
```
protocol=dyndns2,		\
server=dyn.dns.he.net,		\
login=jacinth.jfcarter.net	\
password=wouldntyouliketoknow	\
jacinth.jfcarter.net
```
Command line to run ddclient: On CouchNet this is found near the end of /usr/diklo/sbin/dhclient-hooks . There is a crock where it uses a cached value incorrectly; to head this off, remove the cache file.
rm -f /var/cache/ddclient/ddclient.cache
ddclient -daemon=0 -use=ip -ip=47.156.153.86 --force
Do "ddclient -help |& less" for extensive docs. No actual man page.