Hi, my provider put me behind dhcp so I want to break through to my home server using DDNS.
My router Nokia E-240W-A supports DDNS with desec.io so I tried to use this service, but got no luck making it work. I hope you can help me to configure it properly.
I own a domain name at GoDaddy so I was trying to use it for DDNS.
What I did:
Registred at desec.io with my domain name and created auth token (saved secret).
In my router configuration I chose desec.io service, specified my domain name, use se same name as user name and use token secret as a password.
I configured 443 port forwarding from my router to the home server.
In goDaddy console for my domain I point it to nameservers provided by desec:
ns2.desec.org.
so DNS records at GoDaddy are disabled and Nameservers has the above two.
In desec admin DNS records only have NS records pointing to the same above list (I left it as it was by default).
As a result when I go to external IP address directly I see my website, but when I try to use the domain name - it does not work showing “can’t reach” error with DNS_PROBE_FINISHED_NXDOMAIN comment (in both cases I access https).
I tried to define A address in the desec admin, but it reqires IP address that supposed to be dynamic. I tried to use current IP address and added A record, but it did not help, behaviour remains the same.
You mean you are getting dynamic IPs, right? DHCP would be one way to accomplish that but not the only one. E.g. for IPv6 DHCPv6 may not be used depending on the provider. And DHCP does not necessarily imply dynamic IPs. It can be configured with static IPs as well.
I don’t see the step where you got your provider to set the DS records in the parent domain. Did you fail to mention that, or is it automatic with goDaddy? You can check the correct DNSSEC setup using e.g. https://dnsviz.net. Without the correct chain of trust, any validating resolver (which most probably are) will fail to resolve hostnames for your domain. That would explain your NXDOMAIN error.
Yeah, I mean I’m getting IP4 dynamic ip through DHCP. I did not set any DS records in GoDaddy. I did not see any guides regarding that so I’m not sure what to set up.
At this moment I just gave up and added DNS from dynu instead, it just works out of the box without extra setup. I still want to understand how to set it up with desec as I might get back.
First, deSEC e.V.'s stated mission is to propagate the use of DNSSEC. So if you use their services you get DNSSEC — always. It is very nice that in executing their mission, they provide a very good and free DNS service as well. Though that can almost be viewed as secondary.
To set up the DNSSEC chain of trust, each parent domain must have DS records pointing to the DNSKEY records that are used to sign the DNSKEY RRset (KSK or CSK) of the subdomain. For example if you have registered example.com. as your domain then the com. parent zone needs an example DS … record. (Very similar to the NS glue records that are already present there. And just like the . root zone has a DS record for the com subdomain.)
Access to the parent domain is not possible unless you have a direct contract with the owner of the parent domain. However your domain registrar has that sort of contract and they need it to set the NS glue records for your domain in the parent domain. So in principle they should also be able to set the DS records there as well.
The workflows domain registrars currently have differ greatly. Some provide an API, others require a support ticket and sadly some don’t support this at all. This is a constant cause of pain and the reason CDS and CDNSKEY records are in the process of being standardised. They could automate all of this if implemented by all relevant parties. I do not know the process goDaddy uses for this as I have never used them. If you don’t find anything in their FAQ on the subject, I’d recommend contacting their support.
On the deSEC side, log into your account. In the list of domains click on the (i) button on the right. All of the relevant information is shown in the window that opens. The parent domain needs the DS record(s). However some systems want the DNSKEY from which the DS record(s) can be calculated. It depends on the parent domain and your registrar which info they need. And sometimes a registrar wants the individual fields of the records separately. But that is fairly easy to provide with the info shown in the deSEC interface.
I was under the impression that validating resolvers would fail to resolve any entries for the domain when the chain-of-trust is not connected, i.e. the DS records are not set in the parent zone. I have just tested this with a domain I was planing to migrate to deSEC anyway and indeed, name resolution works fine in this situation with any resolver I tested, including 8.8.8.8, 1.1.1.1, my own local unbound(8) and the default resolver my Internet provider tells me to use.
That does make the migration much easier than I thought, as there is no outage while I hassle the registrars support team to pretty please set the DS records.