0

I'm probably just being dense about this, but I am trying to set up an ACME DNS server on my local network (publicly accessible) to handle the DNS-01 challenges required to automate the renewal/reissuing of Let's Encrypt SSL certificates for my domain. I believe I have the server itself operational, but I'm running into confusion/roadblocks when it comes to actually getting the DNS set up properly for the domain and its authorization subdomain.

Reading the documentation, it states that I need to add:

  • NS record for auth.example.org pointing to auth.example.org (this means, that auth.example.org is responsible for any *.auth.example.org records)
  • A record for auth.example.org pointing to 198.51.100.1

My domain is registered with GoDaddy, but the DNS is hosted elsewhere. I have set up the A record with the DNS host to point to my ACME DNS server (and have all the routing set up in my firewall to access it), but trying to get the NS record added/set up is proving to be quite a challenge. According to my DNS host, they can't simply add the NS record to the zone file b/c it causes an infinite loop of DNS lookups.

Current DNS query (auth.example.org. 86400 IN A 198.51.100.1):
Client -> query goes to Registrar Company (GoDaddy)-> GoDaddy delegated the zone to [MyDNSHost] -> [MyDNSHost] DNS servers display the A record 198.51.100.1

DNS query with NS record (auth.example.org. 86400 IN NS auth.example.org.):
Client -> query goes to Registrar Company (GoDaddy)-> GoDaddy delegated the zone to [MyDNSHost] -> [MyDNSHost] DNS servers delegates the subdomain to auth.example.org -> and then it returns to the beginning and loops infinitely

This makes sense to me, but I'm left wondering exactly what to do to take the next step. I logged into my GoDaddy account and went to the domain's DNS management page. I can add an NS record, but it's for the entire example.org domain, not just the auth.example.org subdomain.

I tried to "Add Forwarding" for the subdomain, but that lets me know that it's going to "automatically update the domain to GoDaddy default nameservers if it's not currently using [them]", which is not what I want.

The only things I can think to do at this point are:

  1. Create a whole new zone for the auth.example.org subdomain with my current DNS host with the NS record pointing back to itself, but that seems like it's going to cause similar "looping" problems.
  2. Try to get GoDaddy to add the subdomain without changing the name servers (or charging for another domain name).

I'm sure I'm just missing something, but I'm not sure what that "something" could be at this point. Before I go trying to make a bunch of changes that end up causing the DNS resolution for my domain to fail, I just want to know to whom I should be directing my efforts to get the required NS record created? GoDaddy or [MyDNSHost]?

G_Hosa_Phat
  • 101
  • 4
  • **NOTE:** This all started b/c my current DNS host doesn't have an API available for the hosting plan we're using. I suppose I *could* move my DNS zone back to GoDaddy where an API is available that would enable me to automate the DNS-01 challenge authorization from there, but, after looking over everything, I would prefer to keep the authorization process segregated from the main DNS host, no matter who that is. – G_Hosa_Phat Feb 15 '22 at 19:25
  • In my opinion you should just add the NS records to your root zone. In the config file of acme-dns you add both, the A and NS record. Or you use the the acme-dns service provides by acme-dns.io so you don't need to host your own – almdandi Feb 15 '22 at 19:38
  • Thank you for your input, @almdandi. But, as I explained above, adding it to the root `example.org` zone with my DNS host apparently results in an infinite loop of DNS lookups since the domain is registered with GoDaddy. Because of this, they say they can't add that `NS` record to my zone file. – G_Hosa_Phat Feb 15 '22 at 19:52

1 Answers1

3

GoDaddy doesn't play a role here other than registrar. They can't do any of what you are suggesting, because they aren't in control of DNS beyond the TLD (Top Level Domain).

Go to your DNS host for example.org (The parent zone) and add:

  1. An NS record for auth.example.org that points to ns1.auth.example.org.
  2. Create an A record for ns1.auth.example.org that points to the IP address of your Acme DNS server. (A 'Glue' record)

Go to your ACME DNS server for auth.example.org (The Child zone):

  1. Create a zone for auth.example.org
  2. Create an SOA record for auth.example.org with pertinent information about the zone.
  3. Create an NS record for auth.example.org that points to ns1.auth.example.org. (Same as done in the Parent zone)
  4. Create whatever other records you need for xyz.auth.example.org, etc.

Done.

https://simpledns.plus/kb/64/how-to-delegate-a-sub-domain-to-other-dns-servers

How exactly should I set up DNS to delegate authority for subdomains?

Appleoddity
  • 3,290
  • 2
  • 10
  • 27
  • Okay, so one difference between what you've described and what the instructions in the README for the GitHub repo show is that the `A` record in the parent zone is for a "sub-subdomain" (`ns1.auth.example.org` as opposed to just `auth.example.org`), and the `NS` record is pointing to that "sub-subdomain". I believe that may be the "root" (pardon the DNS pun) of my problem and I'm hoping that I should be able to take it from there. Thank you so much. – G_Hosa_Phat Feb 15 '22 at 20:25
  • You can't add a `NS` record for `auth.example.org` and also add a `A` record for `ns1.auth.example.org` nor `auth.example.org` in the parent zone. Because the `NS` record for `auth.example.org` will catch all reqeust for `auth.example.org` and all sub zones (`*.auth.example.org`). The surf the `auth.example.org` sub zone you need to add the records in your authoritative dns server for the sub zone linked in the `NS` record in the parent zone. In your case that is `acme-dns`. – almdandi Feb 15 '22 at 20:50
  • @almdandi wrong. It’s called a glue record. Without the glue record in the parent zone, clients will not know how to find the authoritative DNS server for auth.example.org. Because they have to find that zone before they find ns1.auth.example.org if done as you described. Make sense? – Appleoddity Feb 15 '22 at 21:33