but asking the cloudflare nameservers we get a ip address which you can successfully use if you change your host-file configuration to resolve “desecforumquestioncloudflare.dedyn.io” without asking your usual dns-server.
; <<>> DiG 9.10.6 <<>> AAAA desecforumquestioncloudflare.dedyn.io @eve.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5747
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;desecforumquestioncloudflare.dedyn.io. IN AAAA
;; ANSWER SECTION:
desecforumquestioncloudflare.dedyn.io. 300 IN AAAA 2a06:98c1:3121::3
desecforumquestioncloudflare.dedyn.io. 300 IN AAAA 2a06:98c1:3120::3
;; Query time: 21 msec
;; SERVER: 2606:4700:50::a29f:26cc#53(2606:4700:50::a29f:26cc)
;; WHEN: Thu Nov 10 13:05:06 CET 2022
;; MSG SIZE rcvd: 122
Watching the AAA results for the domain you can see another strange thing (Time of writing it looks like this AAAA addresses - Screenshot):
In my previous experiments with this configuration I was able to see how this list was filling up slowly with ipv6 addresses until it starts draining again ending with an empty list.
I have the suspicion there is a problem with dnssec resulting in the behavior that DNS servers add the ip address and then detecting the entries could not be verified by DNSSEC deciding to remove the entry again.
You can see it here:
In my understanding (not sure): To make this possible, you would not have to edit the ns record in the dns zone desecforumquestioncloudflare.dedyn.io, but the ns record for the subdomain desecforumquestioncloudflare in the dns zone dedyn.io.
I don’t think deSEC allows that (that would also be against the idea of what dynDNS is supposed to be, so you wouldn’t be doing dynDNS anymore). Presumably it makes sense to buy a real domain for this?
Either one would have to set up DNSSEC completely/correctly:
For that you would have to:
Enable DNSSEC for dns zone desecforumquestioncloudflare.dedyn.io at cloudflare. According to dig this is not the case at the moment.
$ dig +short @eve.ns.cloudflare.com desecforumquestioncloudflare.dedyn.io dnskey
# no data is returned
The DNSSEC signature would then have to be deposited in the parent(!) zone. There is currently a ds record stored that probably not fits for Cloudflare (to query the parent zone, you need to use the ns of the parent, in this case: @ns1.desec.io).