The Silent Outage Playbook: Domain Expiry, Nameserver Drift, and DNS A-Record Changes

How to prevent non-code outages caused by missed renewals and DNS control-plane drift.

A surprising number of high-severity incidents are not caused by code. They come from operational drift:

  • domain renewals missed,
  • nameserver changes no one approved,
  • A-record changes with no change ticket.

The good news is these are preventable with simple controls and ownership.

1) Domain expiry: treat as critical infrastructure

A domain expiry event is not "just billing." It is a service-availability incident.

Minimum controls:

  • Auto-renew enabled
  • Valid payment method
  • Multiple renewal contacts (not one person)
  • Quarterly registrar access review

2) Nameserver changes: treat as control-plane events

Nameserver changes reroute DNS authority. That should always be intentional, approved, and auditable.

Minimum controls:

  • MFA on registrar account
  • Least-privilege access
  • Change approval process for NS updates
  • Baseline record of approved nameserver set

3) A-record changes: treat as origin routing events

A-record changes can be valid during migrations, but surprise changes should trigger immediate review.

Minimum controls:

  • Document approved target IPs
  • Log every DNS change with timestamp + owner
  • Validate propagation after planned changes
Control-plane drift defense model covering domain expiry, nameserver changes, and A-record incident response.

Incident response pattern

When drift is detected:

  1. Confirm if change was planned.
  2. If not planned, treat it as a security and availability incident.
  3. Roll back to approved baseline where safe.
  4. Rotate credentials and audit access scope.

Owner checklist

  • [ ] Registrar, DNS, and incident contacts are current and shared (not single-owner only).
  • [ ] NS and A-record baselines are documented and versioned.
  • [ ] Any DNS/registrar change requires approval and post-change validation.
  • [ ] Quarterly resilience review includes domain and DNS controls.

Where Scavo helps

Scavo monitors domain expiry windows, nameserver changes, and A-record drift so teams can catch control-plane problems before they become outages.

These checks are especially valuable because they cover risks normal app-level tests never see.

Sources

What to do next in Scavo

  1. Run a fresh scan on your main domain.
  2. Open the matching help guide in /help, assign an owner, and ship the smallest safe fix.
  3. Re-scan after deployment and confirm the trend is moving in the right direction.

Related Reads

Keep digging with related fixes

Uptime Feb 15, 2026

Uptime Alerting Without Noise: Confirm First, Escalate Fast, Recover Cleanly

A practical uptime alert design that cuts false positives without missing real incidents.

Read article
Accessibility Mar 2, 2026

Keyboard Navigation and Focus Management: The Accessibility Bugs That Make Good UIs Feel Broken

A practical playbook for fixing keyboard traps, invisible focus, and broken dialogs before they block real users.

Read article
Technical Feb 28, 2026

The Boring HTML Foundations That Still Break Real Sites: Doctype, Lang, Charset, Viewport, and Favicon

Why small HTML foundation signals still matter in production, and how to fix them before they cause strange breakage.

Read article

Ready to see this on your site?

Run a free scan and get a prioritized fix list in under 30 seconds. Or unlock full monitoring to keep the wins rolling in.

Run a free scan Start free trial

Raccoon Cookie Checkpoint

Can we use optional cookies?

Essentials always stay on. Optional cookies help with preferences, analytics, and smarter prompts.

Current setting: Decision needed