I'm probably just being dense about this, but I am trying to set up an ACME DNS server on my local network (publicly accessible) to handle the DNS-01 challenges required to automate the renewal/reissuing of Let's Encrypt SSL certificates for my domain. I believe I have the server itself operational, but I'm running into confusion/roadblocks when it comes to actually getting the DNS set up properly for the domain and its authorization subdomain.
Reading the documentation, it states that I need to add:
NS
record forauth.example.org
pointing toauth.example.org
(this means, thatauth.example.org
is responsible for any*.auth.example.org
records)A
record forauth.example.org
pointing to198.51.100.1
My domain is registered with GoDaddy, but the DNS is hosted elsewhere. I have set up the A
record with the DNS host to point to my ACME DNS server (and have all the routing set up in my firewall to access it), but trying to get the NS
record added/set up is proving to be quite a challenge. According to my DNS host, they can't simply add the NS
record to the zone file b/c it causes an infinite loop of DNS lookups.
Current DNS query (
auth.example.org. 86400 IN A 198.51.100.1
):
Client -> query goes to Registrar Company (GoDaddy)-> GoDaddy delegated the zone to [MyDNSHost] -> [MyDNSHost] DNS servers display theA
record198.51.100.1
DNS query with NS record (
auth.example.org. 86400 IN NS auth.example.org.
):
Client -> query goes to Registrar Company (GoDaddy)-> GoDaddy delegated the zone to [MyDNSHost] -> [MyDNSHost] DNS servers delegates the subdomain toauth.example.org
-> and then it returns to the beginning and loops infinitely
This makes sense to me, but I'm left wondering exactly what to do to take the next step. I logged into my GoDaddy account and went to the domain's DNS management page. I can add an NS
record, but it's for the entire example.org
domain, not just the auth.example.org
subdomain.
I tried to "Add Forwarding" for the subdomain, but that lets me know that it's going to "automatically update the domain to GoDaddy default nameservers if it's not currently using [them]", which is not what I want.
The only things I can think to do at this point are:
- Create a whole new zone for the
auth.example.org
subdomain with my current DNS host with theNS
record pointing back to itself, but that seems like it's going to cause similar "looping" problems. - Try to get GoDaddy to add the subdomain without changing the name servers (or charging for another domain name).
I'm sure I'm just missing something, but I'm not sure what that "something" could be at this point. Before I go trying to make a bunch of changes that end up causing the DNS resolution for my domain to fail, I just want to know to whom I should be directing my efforts to get the required NS
record created? GoDaddy or [MyDNSHost]?
GoDaddy doesn't play a role here other than registrar. They can't do any of what you are suggesting, because they aren't in control of DNS beyond the TLD (Top Level Domain).
Go to your DNS host for
example.org
(The parent zone) and add:auth.example.org
that points tons1.auth.example.org
.ns1.auth.example.org
that points to the IP address of your Acme DNS server. (A 'Glue' record)Go to your ACME DNS server for
auth.example.org
(The Child zone):auth.example.org
auth.example.org
with pertinent information about the zone.auth.example.org
that points tons1.auth.example.org
. (Same as done in the Parent zone)xyz.auth.example.org
, etc.Done.
https://simpledns.plus/kb/64/how-to-delegate-a-sub-domain-to-other-dns-servers
How exactly should I set up DNS to delegate authority for subdomains?