Domain and DNS Checklist for Organizations Migrating Away from Horizon Managed Services

When a vendor kills managed services: why your DNS and domain plan must move first

Hook: Your vendor just announced end-of-life for managed devices and services — like Meta's December 2025–January 2026 cuts to Horizon managed services — and now your IT team is on the clock. If you don’t act on DNS, certificates, MX, and registrar tasks first, you risk downtime, mail loss, certificate expiration, and awkward brand or security gaps.

Executive summary (do this first)

Follow this prioritized checklist as a runbook for a safe vendor offboarding and device/service migration. Start with an inventory and ownership map, reduce DNS TTLs, capture certificates and keys, prepare new DNS and mail endpoints, and validate post-cutover monitoring. Each section below gives concrete commands, automation tips, and rollback guardrails.

Context and 2026 trends you need to know

In 2026, vendor consolidation and managed-service discontinuations accelerated after Q4 2025 budget shifts across major platform providers. Organizations are moving to self-managed fleets, zero-trust networking, and GitOps-driven DNS. Expect registrar portals and DNS APIs to be the primary control plane for quick cutovers. TLS automation (ACME/ACME v2) and API-based certificate issuance are now standard — but still require planning when a vendor had been issuing certs on your behalf.

High-level checklist (one-line view)

1. Inventory: domains, subdomains, certificates, mail flow, dependencies
2. Pre-migration: lower TTLs, lock registrars until ready, back up zones
3. Certificate reissue: obtain CA access or plan ACME automation
4. Email & SMTP: preserve MX, validate SPF/DKIM/DMARC, update relay
5. Subdomain cleanup: remove orphan CNAMEs, map redirects, plan hostnames
6. Registrar & WHOIS: confirm contact, transfer strategy, renewals
7. Cutover: change DNS, rotate certs, test, monitor rollback windows
8. Post-migration: update docs, monitor telemetry, schedule audits

Phase 1 — Inventory and discovery (Day 0–1)

The moment you learn a vendor will stop managing devices or services, run an aggressive discovery. Your goal: map every DNS and domain dependency the vendor managed for you.

What to collect

• Domain list: primary domains, subdomains, vanity hosts, and region-specific TLDs.
• Zone files: full DNS record exports from the vendor-managed DNS or registrar.
• Certificates: public certs and expiry dates and whether private keys are controlled by you or vendor.
• Mail flow: MX records, smart host/relay entries, SMTP auth, and inbound filtering rules.
• Service records: SRV, TXT (SPF, DMARC, DKIM selectors), CAA records.
• Delegations: NS records for delegated subzones.
• APIs/Automation: registrar and DNS provider API keys and ACLs.

Quick discovery commands

• DNS zone snapshot: use the vendor portal or run dig to capture important records: dig axfr example.com @ns1.vendor-dns.net (if allowed).
• MX check: dig MX example.com +short.
• SPF/DKIM/DMARC: dig TXT example.com +short, dig TXT default._domainkey.example.com.
• TLS cert details: openssl s_client -connect host:443 -servername host </dev/null | openssl x509 -noout -dates -subject -issuer.
• Subdomain enumeration: internal asset inventory plus passive checks like subfinder or a light DNS crawl.

Phase 2 — Ownership and access (Day 0–2)

Confirm who controls what. If the vendor controls registrar accounts, you must recover or replace control before the vendor disappears.

• Registrar access: request admin credentials and ensure your org owns the account. If the vendor refuses, open a formal change request and track via procurement/legal.
• API keys: rotate vendor API keys out of any automation and replace with keys under your control.
• Auth/EPP codes: request EPP/Auth codes for any domains you intend to transfer.
• Emergency contact: add a verified contact for registrar/ICANN lock changes.

Phase 3 — Pre-cutover DNS hygiene

Prepare DNS for migration to minimize propagation delays and enable fast rollback.

Lower TTLs

Reduce TTLs for records you plan to change to 60–300 seconds at least 48–72 hours before cutover. That lets you switch endpoints quickly and roll back if needed.

Backup zone files

Export and store zone files in version control (private repo) or your configuration management system. Tag the snapshot with the vendor EOL date.

Check for delegations and CNAME chains

• Find delegated subzones to avoid surprises when you change parent NS records.
• Avoid long CNAME chains; modern HTTP/redirect behavior differs between CDNs and managed hosts.

Phase 4 — Certificate re-issuance and TLS strategy

When a vendor issued and hosted keys for you, cert re-issuance is the most common failure point. Plan for keys to be in your custody and automate renewals.

Decisions to make

• Key custody: move private keys into your HSM/KMS or platform-managed key store.
• CA and automation: use a CA that supports automation (ACME). Let's Encrypt, ZeroSSL, and commercial CAs offer API-based issuance.
• Wildcard vs SAN: decide whether to replace many single certs with wildcard certs or SAN certs to simplify rotation.

Actionable steps

1. List all TLS endpoints and expiry dates. Use a scan: sslscan or a simple script using openssl s_client.
2. If vendor controls keys, request backups or plan to re-issue new certs. Do not trust private keys stored only in vendor devices.
3. Automate certificate issuance with ACME where possible. Example command for DNS-01 issuance (certbot DNS provider plugin): certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d example.com -d '*.example.com'. For automation and CI/CD practices, see Advanced DevOps playbooks.
4. Test certificate installation on a staging host first and verify chain with openssl s_client -connect host:443 -servername host.
5. Schedule certificate rotation and automation health checks into your monitoring stack.

Pro tip: If a vendor used device-bound certs (like embedded certs in headsets), require revocation or rotation to avoid stolen-device replay.

Phase 5 — Email, MX, and SMTP checks

Email breaks are visible and costly. When the vendor provided mail relays or inbound filtering, map and migrate every component.

Checklist for mail

• Document current MX records and TTLs.
• Verify SPF, DKIM, and DMARC records and ensure you control DKIM selectors' private keys.
• If the vendor was a smart host, arrange new relay credentials and update MTA configs.
• Test inbound and outbound mail flow pre-cutover using a staging domain or subdomain.

Commands and tests

• MX lookup: dig mx example.com +short
• SPF/DKIM: dig txt example.com +short and dig txt default._domainkey.example.com
• SMTP test: swaks --to user@example.com --server smtp.example.com --auth LOGIN --auth-user user --auth-password pwd (swaks is ideal for SMTP testing).
• Mail deliverability: send test messages to major providers and check headers for pass/fail of SPF/DKIM/DMARC.

If you rely on a vendor's email filtering, stand up a replacement (cloud filtering or on-prem) and configure the same rules. Keep old MX records with low TTLs until the new filter is fully validated.

Phase 6 — Subdomain cleanup and redirects

Vendors often create many subdomains (device endpoints, telemetry, firmware updates). Decide what to keep, retire, or redirect.

Steps to clean up safely

1. Inventory all subdomains and map to services and owners.
2. Tag subdomains with status: keep, migrate, retire, redirect.
3. For retirements, configure HTTP 301 redirects at the application or CDN layer — avoid using DNS CNAME redirects for HTTP-level redirection. DNS cannot issue HTTP 301 responses.
4. For delegated subzones, ensure you update parent NS records only after child zones are migrated.

Redirect implementation examples

• Use CDN/reverse-proxy rules to serve 301 redirects from old subdomains to new locations.
• For API endpoints, maintain backward-compatible routes—or publish deprecation windows and monitor usage before cutting them.

Phase 7 — Registrar and WHOIS tasks

Registrar oversights are a common cause of lost domains during vendor exit. Don’t let renewal traps and contact mismatches cause expiration or transfer failures.

Registrar checklist

• Confirm registrant contact information and admin/emails are accurate and under your corporate control.
• Check domain expiration and renew early if necessary. Avoid last-minute transfers close to expiry.
• Request EPP/auth codes and unlock domains when ready for transfer; keep the registrar lock enabled until the moment of transfer authorization.
• Review transfer fees and renewal pricing differences between registrars; capture any hidden transfer/renewal fees.
• Confirm WHOIS privacy status and whether proxy contacts will be changed during transfer (update legal contacts if needed).

Programmatic registrar operations

Use registrar APIs for bulk operations. Popular registrars and resellers support automated transfers, renewals, and contact updates — integrate these into your migration pipelines to avoid manual mistakes. For governance and scale patterns, see micro-apps and governance best practices.

Phase 8 — Cutover runbook (the migration weekend)

Execute changes in an ordered, testable fashion and maintain a rollback plan with timing windows and owners.

Cutover order recommendation

1. Notify stakeholders and freeze related config changes.
2. Lower TTLs (if not already reduced).
3. Deploy new mail relays and verify authentication (DKIM/SPF passing).
4. Re-issue and install certificates for new hosts and test chain validation.
5. Point DNS A/CNAME records to new IPs/hosts and monitor resolution.
6. Update NS records only if migrating authoritative DNS; allow propagation time and be ready to rollback.
7. Enable enhanced logging and synthetic tests for HTTP, SMTP, and service ports.

Rollback triggers

• Mail bounce rates above a threshold.
• Critical certificate validation failures in client telemetry.
• High error rates or inability to reach critical endpoints.

Phase 9 — Validation and monitoring (post-cutover)

Run a validation checklist immediately and keep monitoring in place for at least two weeks.

• DNS validation: dig lookups from multiple external locations and confirm TTLs and answers.
• TLS validation: use automated scans and client-side telemetry to ensure no certificate trust errors.
• Email validation: monitor inbound queues, bounce logs, and DMARC reports.
• Subdomain usage: check access logs and deprecation notices; remove redirects only after negligible traffic is observed.

Phase 10 — Documentation, audit, and futureproofing

After migration, institutionalize the changes to prevent recurrence.

• Update internal DNS/runbook documentation with final zone files and certificate processes.
• Store keys and API credentials securely (KMS/HSM) and rotate them on a schedule.
• Schedule quarterly DNS and certificate audits and add TTL and zone drift checks to CI pipelines.
• Consider a DNS GitOps approach: store zone files in source control and apply changes via automated CI/CD to DNS providers.

Advanced strategies and 2026 best practices

These strategies reduce future vendor-dependence risk and align with 2026 operational trends.

• Treat DNS as code: Use Terraform or provider-native IaC to manage DNS records and track changes in PRs. See Advanced DevOps playbooks for automation patterns.
• Automate cert issuance: Integrate ACME with DNS provider APIs for DNS-01 challenges, eliminating manual key handoffs.
• Centralized secrets: Store private keys and API creds in a corporate KMS and only grant ephemeral access to automation agents.
• Multi-CDN and Anycast fallback: Design DNS records to failover between providers if a vendor-managed CDN goes offline. Observability plays an important role here — see hybrid observability.
• Monitor externally: Use external synthetic checks from multiple locations to detect split-horizon or propagation issues rapidly.

Common pitfalls and how to avoid them

• Relying on vendor-held private keys: Always rotate to keys you control.
• Assuming long TTLs are harmless: They block quick rollbacks.
• Transferring domains near expiry: Triggered transfer failures are common — renew first, then transfer.
• Using DNS records as redirects: Use proper HTTP redirects; DNS cannot return 301 responses.

Sample quick-run commands and snippets

Use these during discovery and validation.

• Export MX: dig MX example.com +short
• Get all TXT: dig txt example.com +short
• Check A/AAAA: dig a example.com +short and dig aaaa example.com +short
• Cert expiry: echo | openssl s_client -connect host:443 -servername host 2>/dev/null | openssl x509 -noout -dates
• SMTP test: swaks --to user@example.com --server smtp.example.com

Real-world example: offboarding a Horizon-managed fleet (case study)

In January 2026, a mid-sized company received notice its Horizon managed headset fleet would be unsupported. The vendor also hosted telemetry.example.com, mail relays, and issued device certificates. The IT team executed this checklist: they exported zones, lowered TTLs to 120s, requested certs and keys, moved DKIM keys into their KMS, stood up an internal mail relay, and used GitOps to push DNS changes. During cutover, an unexpected delegated telemetry subzone still pointed to vendor NS — the rollback plan used the TTLs to revert DNS within minutes, and the team corrected the delegation. Downtime was limited to a few minutes, and all certificates were rotated within 48 hours.

Actionable takeaways — what to do this week

1. Run an immediate inventory of domains, certs, and MX records.
2. Request EPP/auth codes and registrar admin access if your vendor controls domains.
3. Lower TTLs for planned-change records to 60–300s.
4. Identify any vendor-held private keys and plan re-issuance with ACME.
5. Document a rollback window and test all email and cert changes in a staging environment.

Closing: build resilience before the next vendor sunset

Vendor service discontinuations will remain a fact of life in 2026. The organizations that win are those that treat DNS and domain ownership as first-class assets: documented, automated, and under your control. Use this checklist to convert a vendor shutdown into a controlled migration instead of an outage.

Related Reading

• Edge‑First, Cost‑Aware Strategies for Microteams in 2026
• Advanced DevOps for Competitive Cloud Playtests in 2026: Observability, Cost‑Aware Orchestration, and Streamed Match Labs
• Cloud Native Observability: Architectures for Hybrid Cloud and Edge in 2026
• Security & Reliability: Zero Trust, Homomorphic Encryption, and Access Governance for Cloud Storage (2026 Toolkit)
• From Password Resets to Credential Theft: Building User Education for Social Platform Account Recovery
• Transmedia Storytelling Unit Using The Orangery's Graphic Novels
• Olive Oil Skin Care: Evidence-Based Home Remedies and What’s Marketing Hype
• Why Big Beauty Pullouts Happen: L’Oréal’s Korea Move and the Business of Luxury Beauty
• Where to Buy Beauty Essentials on the Go: Lessons from Asda Express and Convenience Retailing