Govern-dns-changes-from-servicenow-with-approvals-and-rollback

Autom Mate Platform
, , , ,
1

Problem: change approvals happen… but the DNS change never gets executed

A recurring ITSM failure mode: a ServiceNow change request (or standard change) gets approved, the CAB notes are clean, but the actual DNS work (Route 53 / internal DNS / registrar) is still done manually.

  • The ticket shows “Approved / Implemented”
  • The record of what was changed is incomplete (no exact record name/value/TTL captured)
  • Rollback is tribal knowledge
  • Incidents later get opened for “site down” or “wrong endpoint” and nobody can prove what happened

This is exactly the ticket → action gap: AI can suggest steps, humans can approve, but execution is inconsistent and unaudited.

Autom Mate fits as the execution + control layer between ITSM/AI and the DNS systems, with deterministic steps, approvals, and full logs. nd workflow (governed DNS change execution)

1) Trigger (ticket/event/AI insight)

  • Trigger: ServiceNow Change Request moves to Approved (or a Standard Change is requested)
  • Autom Mate trigger type: Event-based trigger (API/webhook)

2) Validation cks)

Autom Mate validates the change payload before touching DNS:

  • Required fields present:
    • record_type (A/AAAA/CNAME/TXT)
    • fqdn
    • value
    • ttl
    • environment (prod/non-prod)
    • requested_window_start/end
  • Policy checks:
    • Only approved zones allowed (e.g., corp.example.com, not example.com)
    • TTL bounds (e.g., prod TTL must be 60–3600)
    • CNAME rules (no CNAME at zone apex)
    • Change window enforcement (block if outside window)
  • Safety checks:
    • Lookup current record and compute a diff (no-op detection)
    • Detect conflicting pending changes for same FQDN

If validation fails:

  • Autom Mate posts a comment back to the change with exact missing/invalid fields
  • Sets change state to “Awaiting Info” (or creates a task)

(Autom Mate supports validation + conditional steps + error handling patterns.)

3) Approval (human or rule-based)

roved the change, add a final execution gate to prevent AI/automation from taking direct action without the right context:

  • If environment=prod or zone=external:
    • Require a second approval (e.g., DNS owner/on-call)
    • Send approval request to Microsoft Teams
  • If environment=non-prod and standard change template matches:
    • Auto-approve execution

Why: AI is probabilistic; DNS changes are not. Autom Mate keeps execution deterministic and governed.

4) Deterministic execution across systems

Once approved,the runbook:

  • ServiceNow (REST/HTTP/Webhook action):
    • Update change work notes: “Execution started”, include correlation/run id
  • DNS provider (REST/HTTP/Webhook action):
    • Create/Upsert DNS record
    • Re-read record to confirm it matches desired state
  • Teams (Autom Mate library preferred; otherwise REST/HTTP/Webhook action):
    • Notify requester + DNS owner: “Change applied”, include before/after summary

5) Logging / audit

Autom Mate records:

  • Full execution logs (inputs, decisions, action timings)
  • Approval identity + timestamps
  • Before/after DNS values
  • Correlation id written back into the ServiceNow change

(Autom Mate provides execution logs, monitoring, and audit/security controls.)

6) Exception handling / rollback

If DNS update fails or verification mismatchic retries with backoff (bounded)

  • If still failing:
    • Open/Update a linked ServiceNow incident
    • Page/notify in Teams

Rollback strategy (deterministic):

  • If the record existed previously, restore the captured previous value/TTL
  • If it was newly created, delete it
  • Update ServiceNow change with rollback outcome

(Autom Mate supports error handling, fallback actions, and notifications.)

Two mini examples

Mini example 1: “Point app to new load balancer” (CNAME swap)

  • Trigd change “CNAME cutover”
  • Validation: ensure target is in allowed LB domains, TTL <= 300 in prod
  • Approval: require app owner approval in Teams
  • Execution: update app.prod.corp.example.com CNAME
  • Rollback: revert to previous CNAME if health check fails within 10 minutes

Mini example 2: “Add SPF include for a new email vendor” (TXT update)

  • Trigger: Service request converted to standard change
  • Validation: parse TXT, ensure it doesn’t exceed vendor limits, prevent duplicate includes
  • Approval: security/compliance approval required
  • Execution: update SPF TXT record and verify published value
  • Audit: attach final TXT string + diff into ServiceNow work notes

Why Autom Mate (vs letting an AI agent do it directly)

  • DNS changes are high blast-radius; AI can misread context or hallucinate parameters
  • Autom Mate provides guardrails, approvals, deterministic execution, and auditable logs as the control plane between AI/ITSM and DNS systems

Discussion questions

  • Where do you want the “execution gate” to live: ServiceNow approval, **Teams approval*od DNS, do you prefer auto-rollback on failed verification or pause + human decision?