Skip to main content

Domain Delegation Guide

Learn how to properly delegate DNS for each domain level in Sleakops.

Overview

When Sleakops creates a hosted zone, you need to delegate the domain by updating DNS records at your domain provider (registrar). This guide explains the process for each domain level.

Provider Domain Delegation

What you're delegating

Your root domain (e.g., sleakops.com) to AWS Route 53 via Sleakops.

Steps

  1. Create the Provider domain in Sleakops

    • Sleakops creates a hosted zone in AWS Route 53
    • You'll see a table with 4 nameserver (NS) records

  2. Locate the nameservers

ns-123.awsdns-12.com
ns-456.awsdns-45.net
ns-789.awsdns-78.org
ns-012.awsdns-01.co.uk

  1. Update your domain registrar

    • Log into your domain registrar (GoDaddy, Namecheap, Google Domains, etc.)
    • Find the DNS or Nameserver settings
    • Replace existing nameservers with the 4 AWS nameservers from Sleakops
    • Save changes

  2. Verify delegation

    • Click "Check Delegate" button in Sleakops
    • Wait for DNS propagation (can take up to 48 hours, usually faster)
    • Green checkmark indicates successful delegation

Common Registrars

GoDaddy
  1. Go to Domain Manager
  2. Click on your domain
  3. Scroll to "Nameservers" → Click "Change"
  4. Select "Enter my own nameservers (advanced)"
  5. Add all 4 AWS nameservers
  6. Save
Namecheap
  1. Go to Domain List
  2. Click "Manage" next to your domain
  3. Select "Custom DNS" under Nameservers
  4. Add all 4 AWS nameservers
  5. Click the green checkmark
Cloudflare

Note: If using Cloudflare, you must disable Cloudflare proxy for proper delegation.

  1. Remove the domain from Cloudflare, OR
  2. Update nameservers to AWS (removes Cloudflare DNS management)

Environment Domain Delegation

What you're delegating

A subdomain (e.g., qa.sleakops.com) to its own hosted zone.

Two Scenarios

Scenario A: Parent domain IS managed by Sleakops

Good news! Sleakops automatically creates the NS records in the parent hosted zone.

No action needed - delegation is automatic

Scenario B: Parent domain is NOT managed by sleakops

If sleakops.com is managed outside Sleakops, but you want qa.sleakops.com in Sleakops:

  1. Create the Environment domain in Sleakops

    • Sleakops creates a hosted zone
    • You'll see 4 nameserver records

  2. Add NS records to parent domain

    • Go to wherever sleakops.com DNS is managed (registrar, Cloudflare, etc.)
    • Create 4 NS records for the subdomain:
Record Type: NS
Name: qa
Value: ns-123.awsdns-12.com
Record Type: NS
Name: qa
Value: ns-456.awsdns-45.net
(repeat for all 4 nameservers)
  1. Verify delegation
    • Click "Check Delegate" in Sleakops
    • Wait for DNS propagation (usually 5-30 minutes)

Webservice Domain Configuration

What happens

Webservice domains (e.g., api.qa.sleakops.com) are automatically configured.

No delegation needed - Sleakops automatically:

  • Creates CNAME record in the environment's hosted zone
  • Points to the Application Load Balancer (ALB)
  • Configures SSL certificate

You don't need to do anything!

Alias Domain Configuration

Alias domains require manual DNS configuration at your domain provider.

Scenario A: Alias matches existing hosted zone

Example: Your alias is api.external.com and you already have external.com as a Provider or Environment in Sleakops.

For SSL Certificate Validation

  1. Sleakops provides validation records
    • You'll see CNAME records for certificate validation
    • Example:
_acme-challenge.api.external.com → _validation123.acme.aws.com
  1. Add validation records to your DNS
    • Go to the hosted zone for external.com (in Sleakops or wherever it's managed)
    • Add the CNAME records exactly as shown
    • Wait for certificate validation (usually 5-15 minutes)

For Traffic Routing

  1. Sleakops provides ALB endpoint
    • You'll see the ALB DNS name:
ALB: my-alb-123456.us-east-1.elb.amazonaws.com
  1. Create CNAME record
    • Go to your DNS management for external.com
    • Create a CNAME record:
Record Type: CNAME
Name: api
Value: my-alb-123456.us-east-1.elb.amazonaws.com
TTL: 300
  1. Verify
    • Test the domain: curl https://api.external.com
    • Should return your service response

Scenario B: Alias doesn't match any hosted zone

Example: Your alias is anything.com and this domain is not managed in Sleakops.

For SSL Certificate

  1. Sleakops creates SSL certificate
    • Certificate validation records are provided
    • Example:

_acme-challenge.anything.com → _validation456.acme.aws.com

  1. Add validation records
    • Log into your domain provider for anything.com
    • Add the CNAME records for certificate validation
    • Wait for validation (5-15 minutes)

For Traffic Routing

  1. Sleakops provides ALB endpoint

ALB: my-alb-789012.us-east-1.elb.amazonaws.com

  1. Configure DNS at your provider

    Option 1: CNAME (for subdomains)

Record Type: CNAME
Name: www (or subdomain)
Value: my-alb-789012.us-east-1.elb.amazonaws.com

Option 2: A Record with ALIAS (for root domain)

  • Some providers support ALIAS records (Route 53, Cloudflare)
Record Type: A (ALIAS)
Name: @ (root)
Value: my-alb-789012.us-east-1.elb.amazonaws.com

Option 3: A Record with IP (not recommended)

  • Lookup ALB IPs and create A records
  • ⚠️ IPs may change - use CNAME when possible
  1. Verify
    • Test: curl https://anything.com
    • Ensure SSL certificate is valid

Verification Checklist

Provider/Environment Domain

  • Nameservers updated at registrar
  • "Check Delegate" button shows success
  • DNS lookup returns correct nameservers: dig NS yourdomain.com

Webservice Domain

  • Webservice is deployed and running
  • Domain resolves: curl https://api.qa.sleakops.com
  • SSL certificate is valid (no browser warnings)
  • DNS lookup returns correct CNAME: dig CNAME api.qa.sleakops.com

Alias Domain

  • Certificate validation records added
  • Certificate shows as validated in Sleakops
  • CNAME/A record points to ALB
  • Domain resolves: curl https://your-alias.com
  • DNS lookup returns correct CNAME: dig CNAME your-alias.com
  • SSL certificate is valid

Troubleshooting

"Check Delegate" fails

Issue: Nameservers not properly delegated

Solutions:

  1. Verify you added ALL 4 nameservers
  2. Check for typos in nameserver values
  3. Wait longer (DNS propagation can take up to 48 hours)
  4. Clear DNS cache: dig @8.8.8.8 yourdomain.com
  5. Verify at registrar that changes were saved

Certificate validation stuck

Issue: SSL certificate not validating

Solutions:

  1. Verify CNAME records are added correctly (no extra dots, correct values)
  2. Check TTL hasn't expired
  3. Remove any conflicting DNS records
  4. Wait 15-30 minutes for DNS propagation
  5. Check DNS: dig _acme-challenge.yourdomain.com

Domain not resolving

Issue: Domain doesn't load your service

Solutions:

  1. Verify CNAME/A record points to correct ALB endpoint
  2. Check ALB is healthy and receiving traffic
  3. Verify webservice is deployed and running
  4. Test with curl -v https://yourdomain.com for detailed errors
  5. Check security groups allow traffic on port 443

SSL certificate errors in browser

Issue: Browser shows "Not Secure" or certificate warnings

Solutions:

  1. Verify certificate is validated in Sleakops
  2. Check certificate includes your domain name
  3. Clear browser cache
  4. Verify correct certificate is attached to ALB listener
  5. Check certificate hasn't expired

DNS Propagation Time

Change TypeTypical TimeMaximum Time
Nameserver update15-30 minutes48 hours
CNAME record5-15 minutes24 hours
A record5-15 minutes24 hours
Certificate validation5-15 minutes30 minutes

💡 Tip: Use https://dnschecker.org to check DNS propagation globally

Need Help?