Route53 — DNS Management

Directory: global/route53/

Files: zones.tf, records.tf, variables.tf

What It Manages

All DNS hosted zones and records for the Ontopix platform.

Hosted Zones

Record Types Managed

Primary domains (ontopix.ai, ontopix.dev):

• MX records (Google Workspace email)
• TXT records (domain verification, SPF)
• DKIM records (Google email authentication)
• DMARC records (email policy)
• NS delegation records (to sub-zones)
• Service records (A/CNAME for applications)

Brand protection domains:

• Null MX (0 .) — declares domain doesn't accept email
• SPF hard fail (v=spf1 -all) — no servers authorized
• DMARC reject (p=reject) — instructs receivers to reject unauthorized email

Key Resources

# Primary zones
aws_route53_zone.ontopix_ai
aws_route53_zone.dev_ontopix_ai
aws_route53_zone.pre_ontopix_ai
aws_route53_zone.platform_ontopix_ai
aws_route53_zone.ontopix_dev

# Brand protection (dynamic)
aws_route53_zone.brand_protection["ontopix_es"]  # etc.

How to Add a DNS Record

See the Add DNS Record guide for step-by-step instructions.

DMARC Reporting Convention

All domains with DMARC enabled must send aggregate reports (rua) to dmarc@ontopix.ai. This centralizes DMARC reporting into a single inbox regardless of the domain.

When adding DMARC to a new domain, use:

# For domains that send email (Google Workspace):
records = ["v=DMARC1; p=none; rua=mailto:dmarc@ontopix.ai"]

# For brand protection domains (no email sent):
records = ["v=DMARC1; p=reject; rua=mailto:dmarc@ontopix.ai"]

Notes

• Amplify-managed DNS records (ACM validation, custom domains) are not managed in this module — they live in global/amplify/ or are managed by Amplify itself.
• The ontopix.dev zone was imported from an existing AWS configuration into Terraform.