Are you doing this manually? I make solid use of DNSimple's ALIAS record type, which is also supported by Route 53, but DNSimple says they don't support AXFRs (http://support.dnsimple.com/articles/master-slave-support).

Are you using route53 to do an alias AND have the root domain use SSL? The setup at route53 is confounding me. I thought I'd setup a CNAME www.domain.com that points to sub.herokussl.com, and than an A record Alias that points domain.com to www.domain.com. But Amazon seems to not avow that the CNAME record is a "Record Set" that I can use for this.

Yep, I just got whacked by this at https://www.photographer.io (www is working at least). Guess I've learnt my lesson about using the root domain.

However I'm glad this happened whilst I was still beta testing! My CloudFront stack was pointing at the root domain, which was stupid. Fixed that now.

I'm having an interesting issue where my root domain is currently getting its nameserver details from DNSimple, whereas www. is getting them from iWantMyName. Hopefully that rotates around too at some point soon :\

That's probably someone attempting to you for a DDOS reflection. Take a look at http://openresolverproject.org/ and make sure you're not providing an open resolver to the internet

Can you give an example of what 'trashy' is?

You could be an open resolver being used for reflection. You could be running DNSSEC and providing an amplification vector. You could be getting queries for another DNS server that used to have your IP. The possibilities are endless.

In the three years I've been with DNSMadeEasy [0], haven't had an outage yet.

[0] https://cp.dnsmadeeasy.com/u/62796 (affiliate link)

There are two important steps;

1. Adding NS records to the parent zone via your registrar. E.g. if you are using example.com, when you add nameservers with your registrar they add them to the ".com" zone.

2. Update the NS records in your own copies of the zone on your DNS providers.

If your registrar is also one of your DNS providers, then both of these steps are sometimes handled in one action from your registrar - but you still need to update the NS records on the other provider.

"NS" record sets are special in DNS in that there is a copy of the NS record for a particular zone in both the parent zone and the child zone. About 8% of resolvers consider the parent zone's copy the one that matters, the other 92% honour whatever is in the child zone's.

This can lead to confusing cases where you have different NS configurations on different providers - the resolver may "stick" to whichever one it found first (as long as both providers are in the parent zone). DNS can be maddening!

Full-disclosure: I'm a Route 53 developer.

Yes. You can do master-slave with AXFR but it doesn't seem very well supported nowadays. I remember 1 provider that let you put in your AWS credentials and they'd sync to Route53 using the API, though I can't find which one right now. Different providers offer different solutions...a lot don't offer anything.

Of course, you can always do it manually..which is fine if you have few records and they are static.

edit: Kept googling and I did find http://www.dnsly.net/ neat enough that I wanted to share it, even though I think dns providers should be doing this as part of their existing packages.

Also, although it's no guarantee, dns providers that use anycast are less susceptible (but not invulnerable) to ddos.

We're working on adding some redundancy!