DNS records point to correct production hosts; DNS managed by reliable provider; TTL set to 300-3600 seconds

ab-000983 · deployment-readiness.rollback-recovery.dns-configured

Severity: lowactive

Why it matters

A DNS TTL set to 86400 seconds (24 hours) means a misconfigured or failed DNS record takes up to 24 hours to propagate a fix — even after you've corrected it. NIST SC-20 covers secure DNS; ISO 25010 reliability.availability requires timely failover capability. A TTL between 300 and 3600 seconds gives you fast failover when you need to redirect traffic during an outage while keeping query load on DNS servers reasonable. A CNAME pointing to staging instead of production silently serves wrong content to all users.

Severity rationale

Low because DNS misconfiguration causes routing failures affecting all users, but correct DNS is typically set once and rarely changes, making ongoing risk low.

Remediation

Verify your DNS records point to production hosts and set TTL to 300–3600 seconds. Log into your DNS provider (Route 53, Cloudflare, Namecheap) and check A and CNAME records.

For Cloudflare via Terraform:

resource "cloudflare_record" "root" {
  zone_id = var.cloudflare_zone_id
  name    = "@"
  value   = "1.2.3.4"    # your production IP
  type    = "A"
  ttl     = 300           # 5 minutes — good for active incident response
  proxied = true
}

Lower TTL to 60 seconds before a planned migration so changes propagate in 1 minute; raise it back to 300–3600 after confirming the new config is stable. Document your DNS provider credentials location and zone ID in DEPLOYMENT.md.

Detection

ID: deployment-readiness.rollback-recovery.dns-configured
Severity: low
What to look for: Enumerate every relevant item. Check DNS records for your production domain. Verify A, AAAA, or CNAME records point to correct hosts. Check TTL (Time to Live) value — should be between 300 and 3600 seconds.
Pass criteria: At least 1 of the following conditions is met. DNS records are correctly configured and point to production hosts. TTL is between 300-3600 seconds. DNS provider is reliable (Route53, Cloudflare, Namecheap, etc.).
Fail criteria: DNS records point to wrong hosts, TTL is below 300 or above 3600, or DNS provider is unreliable.
Skip (N/A) when: The project is not exposed on a public domain.
Detail on fail: "DNS TTL is set to 86400 (24 hours) — too high for quick failover." or "CNAME record points to staging host instead of production."
Remediation: Update DNS records. Using Route53 (AWS) or similar:
1. Go to your DNS provider console
2. Locate the DNS records for your domain
3. Set A or CNAME records to point to your production host
4. Set TTL to 300-3600 seconds (lower = faster failover, but more queries):
```
A record: your-domain.com → 1.2.3.4 (TTL: 300)
```
Document your DNS setup in DEPLOYMENT.md.

External references

iso-25010:2011 · reliability.availability — Availability — correct DNS configuration ensures system is reachable
nist:rev5 · SC-20 — Secure Name/Address Resolution Service (Authoritative Source)

Taxons

operational-readiness

History

2026-04-18·v1.0.0·Initial import from deployment-readiness·automated