Google Domains, we are dead to you ...

It 'only' took Google seven years to take Google Domains out of beta in March this year.  Given their forever beta reputation, it was great news we could finally get comfortable with Google Domains for domain registration.  The service is relatively easy to set up especially for small businesses or personal sites which all you need is a custom domain name with blogger service or static web hosting.   Guess what? It was out of beta just so they could hand it to Squarespace as a 'final' product.  Seriously, W.T.F.  
The sketchy part in the email is 'After this migration period Squarespace will be solely responsible for providing domain services to you.'.  Damn! the classic 'you are dead to me'.  Squarespace is a web site hosting company not a domain or web services providers.  We can't find any information whether they will start charging domain hosting as a separate service or all domain hosting will be part of the web site hosting (i.e. $23/month or $16/month billed annually).  There are many reasons for domain parking such as forwarding,  brand preservation or future planning.  It is risky to hope for the best so here we go, time to transfer all the domains which AWS is our next pick.  It was not our first choice given Google Domains is much easier to configure for domain forwarding,  SSL, DNS ... etc. while the price is competitive.

Transferring domains is pretty straight forward when transferring within the same hosting service under different accounts.  Transferring to different hosting service however could be a total nightmare as different hosting services have their own ways to organize directories, naming conventions, permission settings, configuration ... etc. Quite often you realized you f* up only when it was too late.  For instance, never transfer both domain registration and DNS at the same time if your domain is serving production traffic.  Most domain transfer instructions seem to only highlight the reason why you 'should not' keep your existing DNS service (sounds logical).  However, there are little to no instructions on how to transfer your domain gracefully without falling into the 'DNS dead zone' when DNS servers can cache DNS queries for up to 48 hours.  With both new registration and mis-matched DNS records (google will drop the service immediately as soon as the domain is transferred out 'You are dead to me, again').  Your site will get 'server name not found' for hours (hopefully) if not days until the global network of name servers pick up the new records.  

Make sure you move the DNS service prior to transferring your domain and use the whois command to verify before transferring the domain. 

Transferring domain from Google Domains to AWS

The basics
1.  Set up a new hosted zone for your domain in Route 53,  There should be 4 NS records similar to this:

2. For Blogger service (or skip to step 3)

 2a. You need add a CNAME in Route 53 with the value similar to this:
   2b.  Create a A record by copying the values from Google domain.  There should be 4 sets similar to this:

3.  Configure custom NS records from AWS in google domain instead using the default setting
4. Wait until you confirm the DNS changes using the whois command
5. The rest should be straight forward: 
    a.  Unlock your domain and turn off domain privacy
    b.  Get the auth code from google
    c.  Request domain transfer from Route53 using the auth code from google
    d.  A couple emails from both google and AWS to confirm the transfer

Domain parking only

For domain parking only, all you need is to set up a new hosted zone in Route 53 in Step 1 then skip to Step 4.  Once the domain transfer has been confirmed, you may delete the hosted zone whether for housekeeping or because 50 cents is 50 cents.  

URL forwarding within AWS (a good blog post for details)

In case s* happens (which is likely why you are here)

If you really got stuck in the DNS dead zone, instead of waiting for the DNS to be refreshed hoping for the best, you may verify the following things making sure there are no easter eggs from AWS or google domains:

1.  Check all your emails making sure there are no pending confirmation 
2.  Use dig command to check if your domain is being translated by various name servers
3.  For URL forwarding within AWS, check the cloudfront distribution URL making sure the page is up
4.  Check DNSSEC status in Route 53 for the following:

      In hosted zone details

and under the registered domains 

making sure their configuration status match.  There are cases we found mystery DNSSEC key was set up or generated? under registered domains while DNSSEC signing in hosted zone is not enabled.   This partial/mystery key set-up hidden in an odd and the least expected place could really screw you up big time.