I added the domain as a new site to cloudflare and changed the nameserver configuration (on desec website) as cloudflare asks me to do.
This worked and cloudflare seems to be happy.
but asking the cloudflare nameservers we get a ip address which you can successfully use if you change your host-file configuration to resolve “desecforumquestioncloudflare.dedyn.io” without asking your usual dns-server.
; <<>> DiG 9.10.6 <<>> AAAA desecforumquestioncloudflare.dedyn.io @eve.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5747
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;desecforumquestioncloudflare.dedyn.io. IN AAAA
;; ANSWER SECTION:
desecforumquestioncloudflare.dedyn.io. 300 IN AAAA 2a06:98c1:3121::3
desecforumquestioncloudflare.dedyn.io. 300 IN AAAA 2a06:98c1:3120::3
;; Query time: 21 msec
;; SERVER: 2606:4700:50::a29f:26cc#53(2606:4700:50::a29f:26cc)
;; WHEN: Thu Nov 10 13:05:06 CET 2022
;; MSG SIZE rcvd: 122
Watching the AAA results for the domain you can see another strange thing (Time of writing it looks like this AAAA addresses - Screenshot):
In my previous experiments with this configuration I was able to see how this list was filling up slowly with ipv6 addresses until it starts draining again ending with an empty list.
I have the suspicion there is a problem with dnssec resulting in the behavior that DNS servers add the ip address and then detecting the entries could not be verified by DNSSEC deciding to remove the entry again.
You can see it here:
In my understanding (not sure): To make this possible, you would not have to edit the ns record in the dns zone desecforumquestioncloudflare.dedyn.io, but the ns record for the subdomain desecforumquestioncloudflare in the dns zone dedyn.io.
I don’t think deSEC allows that (that would also be against the idea of what dynDNS is supposed to be, so you wouldn’t be doing dynDNS anymore). Presumably it makes sense to buy a real domain for this?
Why do you think the configuration of the nameserver on the desec site is not sufficient?
Reading the results of the dnssec analyzer DNSSEC Analyzer - desecforumquestioncloudflare.dedyn.io
I think the ip addresses listed there are good:
➜ ~ curl desecforumquestioncloudflare.dedyn.io
502 Bad Gateway
Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared
In my understanding this means:
cloudflare is taking care of the domain and publishes a ip address which points to the right tunnel
missing proper DNSSEC configuration stops the DNS-servers to validate and therefore stops them from accepting the configured ip address
Either one would have to set up DNSSEC completely/correctly:
For that you would have to:
Enable DNSSEC for dns zone desecforumquestioncloudflare.dedyn.io at cloudflare. According to dig this is not the case at the moment.
$ dig +short @eve.ns.cloudflare.com desecforumquestioncloudflare.dedyn.io dnskey
# no data is returned
The DNSSEC signature would then have to be deposited in the parent(!) zone. There is currently a ds record stored that probably not fits for Cloudflare (to query the parent zone, you need to use the ns of the parent, in this case: @ns1.desec.io).
