DynDNS with subzones under dedyn.io

dynDNS at dedyn.io
1

I have registered a subdomain for DynDNS under dedyn.io, say test.dedyn.io, and use it for AAAA records updated via update6.dedyn.io.

Now I would like to add a few subdomains under my primary domain, say berlin.test.dedyn.io and singapore.test.dedyn.io, and update those dynamically with DynDNS as I did before with the primary domain.

However, when trying to update those subdomains, I receive the following error message from the API:

Domain not eligible for dynamic updates, please contact support.

Furthermore, how do I get DNSSEC to work for those two new subzones?

2

Hi jnsp,

Thanks for your question, and welcome to deSEC! :slight_smile:

dynDNS updates set a TTL of 60 seconds on the A and AAAA records. However, zones created with deSEC currently have a minimum TTL of 3600 seconds, to reduce the load on our slaves. (We implemented an exception that direct child zones of dedyn.io have a minimum TTL of 60; we may later extend that automatic policy to cover sub-subzones as well.)

To use a forth-level domain under dedyn.io for dynDNS (or any other custom domain, for that matter), we are happy to lower the minimum TTL for your domain. Please shoot us an email with your domain name so that we can change the setting for you.

UPDATE (February 2021): We now support using the dynDNS update inferface on custom domains and on subdomains out of the box. You can use the full domain name (including subdomain) as the update username, and an API token as the update password. (Please note that if you want multiple subdomains always pointing at the same IP, it will be more efficient to create CNAME records for the subdomains using our web interface.) For details, see the docs. /update

DNSSEC for sub-subzones

Also, please note that when creating a zone, the parent zone needs to be configured with the child zone’s DS records in order to establish the DNSSEC chain of trust. For direct child zones of dedyn.io, this is currently done automatically; for sub-subzones, that is not the case.

To establish the chain of trust, retrieve your sub-subzone’s public DNSSEC keys from our API (GET /api/v1/domains/<name>/) and create DS records with these values in your 3rd level zone. You can use Verisign’s DNSSEC Analyzer to check if everything is set up properly.

Stay secure,
Peter

3

Hi,
can you please help me with the last step of your solution-description:

  • I created a domain - e.g. mydomain.dedyn.io (via your web-interface)
  • I created a subdomain - e.g. myservice.mydomain.dedyn.io (via your web-interface)
  • I read the ds records of myservice.mydomain.dedyn.io using the API
  • I added the ds records of myservice.mydomain.dedyn.io as “DS” records to mydomain.dedyn.io (via your web-interface) & set the TTL of those records to 60s. The strange thing is that the additional ds records can be seen in the “edit” dialog, but not in the “info” dialog, and not in the API-response.
    … I still get the “domain not eligible for dynamic updates”
    … what am I missing? … is it the TTL of 3600 of myservice.mydomain.dedyn.io which you would to set for me manually to 60s (by sending a mail)?

… and a question regarding my ddclient.conf:
is it ok if I use the mydomain.dedyn.io as login and have both domains listed:
login=mydomain.dedyn.io
password=’…’
mydomain.dedyn.io,myservice.mydomain.dedyn.io

… or shall I split it up into two login entries (using the same password)
login=mydomain.dedyn.io
password=’…’
mydomain.dedyn.io

login=myservice.mydomain.dedyn.io
password=’…’
myservice.mydomain.dedyn.io

Best regards!
Hari

4

Hi Hari,

Thanks for your message, and welcome to deSEC! :slight_smile:

Your conclusion about the TTL is correct: deSEC support can fix this for you.

Regarding the ddclient configuration: We do not accept several domain names in one request. It thus depends on how ddclient treats the combined configuration: If it sends only one request containing two domains, it will not work. However, if ddclient splits things into two requests, the “combo configuration” may work.

Stay secure,
Peter

5

Hi to all,
here is the summary of how i got it working:

  1. [WebInterface] Create a domain - e.g. mydomain.dedyn.io
  2. [WebInterface] Create a subdomain - e.g. myservice.mydomain.dedyn.io
  3. [WebInterface or API] Read the “DS” records of myservice.mydomain.dedyn.io
  4. [Webinterface] Add the (three) DS records of myservice.mydomain.dedyn.io as DS records to mydomain.dedyn.io. Subname: myservice
  5. [Webinterface] Add an “NS” record in mydomain.dedyn.io: Subname: myservice, Hostname(s): the Hostnames of the “NS” record of myservice.mydomaion.dedyn.io

For dynamicDns:
6) [Mail]: To the desec support with the request to set the TTL of the NS records of myservice.mydomain.dedyn.io from 3600s to 60s

For the ddclient configuration I use a workaround:

  • different ddclient configurations (one for each domain/subdomain) which I run at different times.
    There is most probably a better solution to this … but I haven’t found it yet.

Best regards!
Hari

P.S. in addition to the Verisign DNSSEC Analyzer i found the DNSVisz tool from Verisign very helpful