I'm probably just being dense about this, but I am trying to set up an ACME DNS server on my local network (publicly accessible) to handle the DNS-01 challenges required to automate the renewal/reissuing of Let's Encrypt SSL certificates for my domain. I believe I have the server itself operational, but I'm running into confusion/roadblocks when it comes to actually getting the DNS set up properly for the domain and its authorization subdomain.
Reading the documentation, it states that I need to add:
NS
record for auth.example.org
pointing to auth.example.org
(this means, that auth.example.org
is responsible for any *.auth.example.org
records)
A
record for auth.example.org
pointing to 198.51.100.1
My domain is registered with GoDaddy, but the DNS is hosted elsewhere. I have set up the A
record with the DNS host to point to my ACME DNS server (and have all the routing set up in my firewall to access it), but trying to get the NS
record added/set up is proving to be quite a challenge. According to my DNS host, they can't simply add the NS
record to the zone file b/c it causes an infinite loop of DNS lookups.
Current DNS query (auth.example.org. 86400 IN A 198.51.100.1
):
Client -> query goes to Registrar Company (GoDaddy)-> GoDaddy delegated the zone to [MyDNSHost] -> [MyDNSHost] DNS servers display the A
record 198.51.100.1
DNS query with NS record (auth.example.org. 86400 IN NS auth.example.org.
):
Client -> query goes to Registrar Company (GoDaddy)-> GoDaddy delegated the zone to [MyDNSHost] -> [MyDNSHost] DNS servers delegates the subdomain to auth.example.org
-> and then it returns to the beginning and loops infinitely
This makes sense to me, but I'm left wondering exactly what to do to take the next step. I logged into my GoDaddy account and went to the domain's DNS management page. I can add an NS
record, but it's for the entire example.org
domain, not just the auth.example.org
subdomain.
I tried to "Add Forwarding" for the subdomain, but that lets me know that it's going to "automatically update the domain to GoDaddy default nameservers if it's not currently using [them]", which is not what I want.
The only things I can think to do at this point are:
- Create a whole new zone for the
auth.example.org
subdomain with my current DNS host with the NS
record pointing back to itself, but that seems like it's going to cause similar "looping" problems.
- Try to get GoDaddy to add the subdomain without changing the name servers (or charging for another domain name).
I'm sure I'm just missing something, but I'm not sure what that "something" could be at this point. Before I go trying to make a bunch of changes that end up causing the DNS resolution for my domain to fail, I just want to know to whom I should be directing my efforts to get the required NS
record created? GoDaddy or [MyDNSHost]?