CNAME for 3rd-level .dedyn.io subdomain

Hello,

I tried to set a CNAME for one of my .dedyn.io subdomains:

$ curl -X POST https://desec.io/api/v1/domains/EXAMPLE.dedyn.io/rrsets/ \
	--header "Authorization: Token MYTOKEN" \
	--header "Content-Type: application/json" \
	--data '{"subname":"","type":"CNAME","ttl":3600,"records":["EXAMPLE.github.io."]}'

{"detail":"RRset EXAMPLE.dedyn.io. IN CNAME: Conflicts with pre-existing RRset"}

I made sure there are no A or AAAA records, and I even deleted the autogenerated NS record. Still not possible to set CNAME. Setting the CNAME for a subdomain of my .dedyn.io subdomain works fine.

Any ideas?

Hi mihi,

Welcome to deSEC :slight_smile:

Direct child domains of dedyn.io, such as EXAMPLE.dedyn.io, are independent zones. As such, they have their own SOA, DNSKEY and other metadata records (which we manage automatically), and as a consequence, it is not possible to use CNAME at the main level of your domain (the so-called zone apex). For a detailed explanation, take a look a this ISC post.

There is a workaround called ANAME or ALIAS, but it comes with complications as far as DNSSEC is concerned. We have done some brainstorming on how to support ALIAS.

I’m interested to know what is your use case though. Why would you not want to set your dynDNS IP records directly on EXAMPLE.dedyn.io?

Stay secure,
Peter

Thanks for the reply.

I read about ALIAS in the documentation, but for me it was no option since as far as I know, for GitHub pages it is required to have CNAMEs.

My Use case: A GitHub user (or organization) can host one website with GitHub pages by using his USERNAME.github.io subdomain. If they want to host more than one website (from different Git repositories) they would need their own DNS name for that, which needs to be a CNAME to the correct USERNAME.github.io (to verify domain ownership when setting it up, as well as to make the website work). Another option would be to create your own organization per website, but that makes your repo management cumbersome.

So far I used subdomains from freedns.afraid.org for that, but they do not support DNSSEC, so I tried to use dedyn.io subdomains instead.

So I am not using the “dyndns” aspect of dedyn.io subdomains here, only the “freedns” aspect.

But I can as well grab a short third-level domain (which I have done now) and put my Github Pages subdomains below that one.

Thank you for explaining. Yes, the apex of domains directly under dedyn.io is intended for dynDNS usage, and your use case is currently not covered.

Your workaround is a viable solution (just like, alternatively, registering a conventional domain name with some registrar and then putting CNAME records on its subdomains).

So far I used subdomains from freedns.afraid.org 1 for that, but they do not support DNSSEC, so I tried to use dedyn.io 1 subdomains instead.

that is not the only thing AFRAID’ORG does NOT support, I am afraid.

Hmm, is this on-topic enough for you to “desecrate” this old thread?

1 Like

well, if I can nudge 1 single user to not waste their time on afraid.org. but rather on DeSec.io or 1984.is. my effort was well worth it :wink: