Score:0

Setting up DNS for self-hosted ACME DNS server

ec flag

I'm probably just being dense about this, but I am trying to set up an ACME DNS server on my local network (publicly accessible) to handle the DNS-01 challenges required to automate the renewal/reissuing of Let's Encrypt SSL certificates for my domain. I believe I have the server itself operational, but I'm running into confusion/roadblocks when it comes to actually getting the DNS set up properly for the domain and its authorization subdomain.

Reading the documentation, it states that I need to add:

  • NS record for auth.example.org pointing to auth.example.org (this means, that auth.example.org is responsible for any *.auth.example.org records)
  • A record for auth.example.org pointing to 198.51.100.1

My domain is registered with GoDaddy, but the DNS is hosted elsewhere. I have set up the A record with the DNS host to point to my ACME DNS server (and have all the routing set up in my firewall to access it), but trying to get the NS record added/set up is proving to be quite a challenge. According to my DNS host, they can't simply add the NS record to the zone file b/c it causes an infinite loop of DNS lookups.

Current DNS query (auth.example.org. 86400 IN A 198.51.100.1):
Client -> query goes to Registrar Company (GoDaddy)-> GoDaddy delegated the zone to [MyDNSHost] -> [MyDNSHost] DNS servers display the A record 198.51.100.1

DNS query with NS record (auth.example.org. 86400 IN NS auth.example.org.):
Client -> query goes to Registrar Company (GoDaddy)-> GoDaddy delegated the zone to [MyDNSHost] -> [MyDNSHost] DNS servers delegates the subdomain to auth.example.org -> and then it returns to the beginning and loops infinitely

This makes sense to me, but I'm left wondering exactly what to do to take the next step. I logged into my GoDaddy account and went to the domain's DNS management page. I can add an NS record, but it's for the entire example.org domain, not just the auth.example.org subdomain.

I tried to "Add Forwarding" for the subdomain, but that lets me know that it's going to "automatically update the domain to GoDaddy default nameservers if it's not currently using [them]", which is not what I want.

The only things I can think to do at this point are:

  1. Create a whole new zone for the auth.example.org subdomain with my current DNS host with the NS record pointing back to itself, but that seems like it's going to cause similar "looping" problems.
  2. Try to get GoDaddy to add the subdomain without changing the name servers (or charging for another domain name).

I'm sure I'm just missing something, but I'm not sure what that "something" could be at this point. Before I go trying to make a bunch of changes that end up causing the DNS resolution for my domain to fail, I just want to know to whom I should be directing my efforts to get the required NS record created? GoDaddy or [MyDNSHost]?

G_Hosa_Phat avatar
ec flag
**NOTE:** This all started b/c my current DNS host doesn't have an API available for the hosting plan we're using. I suppose I *could* move my DNS zone back to GoDaddy where an API is available that would enable me to automate the DNS-01 challenge authorization from there, but, after looking over everything, I would prefer to keep the authorization process segregated from the main DNS host, no matter who that is.
almdandi avatar
ru flag
In my opinion you should just add the NS records to your root zone. In the config file of acme-dns you add both, the A and NS record. Or you use the the acme-dns service provides by acme-dns.io so you don't need to host your own
G_Hosa_Phat avatar
ec flag
Thank you for your input, @almdandi. But, as I explained above, adding it to the root `example.org` zone with my DNS host apparently results in an infinite loop of DNS lookups since the domain is registered with GoDaddy. Because of this, they say they can't add that `NS` record to my zone file.
Score:3
ng flag

GoDaddy doesn't play a role here other than registrar. They can't do any of what you are suggesting, because they aren't in control of DNS beyond the TLD (Top Level Domain).

Go to your DNS host for example.org (The parent zone) and add:

  1. An NS record for auth.example.org that points to ns1.auth.example.org.
  2. Create an A record for ns1.auth.example.org that points to the IP address of your Acme DNS server. (A 'Glue' record)

Go to your ACME DNS server for auth.example.org (The Child zone):

  1. Create a zone for auth.example.org
  2. Create an SOA record for auth.example.org with pertinent information about the zone.
  3. Create an NS record for auth.example.org that points to ns1.auth.example.org. (Same as done in the Parent zone)
  4. Create whatever other records you need for xyz.auth.example.org, etc.

Done.

https://simpledns.plus/kb/64/how-to-delegate-a-sub-domain-to-other-dns-servers

How exactly should I set up DNS to delegate authority for subdomains?

G_Hosa_Phat avatar
ec flag
Okay, so one difference between what you've described and what the instructions in the README for the GitHub repo show is that the `A` record in the parent zone is for a "sub-subdomain" (`ns1.auth.example.org` as opposed to just `auth.example.org`), and the `NS` record is pointing to that "sub-subdomain". I believe that may be the "root" (pardon the DNS pun) of my problem and I'm hoping that I should be able to take it from there. Thank you so much.
almdandi avatar
ru flag
You can't add a `NS` record for `auth.example.org` and also add a `A` record for `ns1.auth.example.org` nor `auth.example.org` in the parent zone. Because the `NS` record for `auth.example.org` will catch all reqeust for `auth.example.org` and all sub zones (`*.auth.example.org`). The surf the `auth.example.org` sub zone you need to add the records in your authoritative dns server for the sub zone linked in the `NS` record in the parent zone. In your case that is `acme-dns`.
Appleoddity avatar
ng flag
@almdandi wrong. It’s called a glue record. Without the glue record in the parent zone, clients will not know how to find the authoritative DNS server for auth.example.org. Because they have to find that zone before they find ns1.auth.example.org if done as you described. Make sense?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.