Skip to content
03 principle

Validate Before You Deploy

Production is not your test environment. Automated pre-flight checks must run on every deployment item before a single record touches live DNS. At minimum, a validation pipeline should check:

  • Connectivity — is the DNS provider reachable?
  • Zone existence — does the target zone exist and is it accessible?
  • Record existence — for updates and deletes, is the record still there?
  • Drift detection — has someone modified the record since the change was planned?
  • Content validation — will the provider accept these values (type-specific rules)?
  • Conflict detection — will this change break existing records (CNAME singletons, duplicates)?
  • Rollback readiness — is enough state captured to reverse this change if needed?

Every check should return pass, warning, or error. Errors must block deployment. Warnings are at the operator’s discretion.