I'm attempting to achieve the following:
- A public nameserver for my domain which points
example.com
to a public IP address. - A private nameserver for the same domain running within a LAN which instead points clients to a private IP address on the same LAN.
- DNSSEC enabled.
Achieving the first and last points together is of course comparatively easy so it's getting the private component to work that's the issue.
In terms of my actual setup:
- I'm using Cloudflare's DNS service, where I have an A record for my domain pointing to a public IP address and DNSSEC enabled.
- At my registrar, I've added a DS record based on what Cloudflare gives me and configured Cloudflare's nameservers. All of this works fine, as you'd expect.
- Internally I'm running Pi-Hole (set as the DNS server for clients on my LAN) which is configured with DNSSEC enabled and pointing to a local CoreDNS instance as the upstream resolver.
- In CoreDNS, I have a zone configured for
example.com
which is signed with keys generated bycoredns-keygen
. This has an A record pointing to an internal IP address. - I have a second DS record at my registrar based on the key used internally by CoreDNS.
What happens:
- The general setup works for resolving domains which aren't mine.
- Pi-Hole responds with
SERVFAIL
and logsABANDONED
when I attempt to resolve my domain. - But, if I point a client directly to CoreDNS (e.g. with
dig
), I get the response expected with the LAN IP address. - Also, if I disable DNSSEC in Pi-Hole, it works fine.
So my questions are:
- Is what I'm trying to achieve even possible?
- I'm starting to wonder if having separate DS records at my registrar is wrong, but I don't think I can retrieve the private key Cloudflare is using and nor can I upload custom keys, so I'm not sure how I can use the same keys for public and private.
- Is there any reason why things seem to work if I point my clients to CoreDNS directly but Pi-Hole is refusing to cooperate?
Thanks!