I have registered a subdomain for DynDNS under dedyn.io, say
test.dedyn.io, and use it for AAAA records updated via update6.dedyn.io.
Now I would like to add a few subdomains under my primary domain, say
singapore.test.dedyn.io, and update those dynamically with DynDNS as I did before with the primary domain.
However, when trying to update those subdomains, I receive the following error message from the API:
Domain not eligible for dynamic updates, please contact support.
Furthermore, how do I get DNSSEC to work for those two new subzones?
Thanks for your question, and welcome to deSEC!
dynDNS updates set a TTL of 60 seconds on the
However, zones created with deSEC currently have a minimum TTL of 3600 seconds, to reduce the load on our slaves. (We implemented an exception that direct child zones of dedyn.io have a minimum TTL of 60; we may later extend that automatic policy to cover sub-subzones as well.)
To use a forth-level domain under dedyn.io for dynDNS (or any other custom domain, for that matter), we are happy to lower the minimum TTL for your domain. Please shoot us an email with your domain name so that we can change the setting for you.
UPDATE (February 2021): We now support using the dynDNS update inferface on custom domains and on subdomains out of the box. You can use the full domain name (including subdomain) as the update username, and an API token as the update password. (Please note that if you want multiple subdomains always pointing at the same IP, it will be more efficient to create
CNAME records for the subdomains using our web interface.) For details, see the docs. /update
DNSSEC for sub-subzones
Also, please note that when creating a zone, the parent zone needs to be configured with the child zone’s
DS records in order to establish the DNSSEC chain of trust. For direct child zones of dedyn.io, this is currently done automatically; for sub-subzones, that is not the case.
To establish the chain of trust, retrieve your sub-subzone’s public DNSSEC keys from our API (
GET /api/v1/domains/<name>/) and create
DS records with these values in your 3rd level zone. You can use Verisign’s DNSSEC Analyzer to check if everything is set up properly.
can you please help me with the last step of your solution-description:
- I created a domain - e.g.
mydomain.dedyn.io (via your web-interface)
- I created a subdomain - e.g.
myservice.mydomain.dedyn.io (via your web-interface)
- I read the ds records of
myservice.mydomain.dedyn.io using the API
- I added the ds records of
myservice.mydomain.dedyn.io as “DS” records to
mydomain.dedyn.io (via your web-interface) & set the TTL of those records to 60s. The strange thing is that the additional ds records can be seen in the “edit” dialog, but not in the “info” dialog, and not in the API-response.
… I still get the “domain not eligible for dynamic updates”
… what am I missing? … is it the TTL of 3600 of
myservice.mydomain.dedyn.io which you would to set for me manually to 60s (by sending a mail)?
… and a question regarding my ddclient.conf:
is it ok if I use the
mydomain.dedyn.io as login and have both domains listed:
… or shall I split it up into two login entries (using the same password)
Thanks for your message, and welcome to deSEC!
Your conclusion about the TTL is correct: deSEC support can fix this for you.
Regarding the ddclient configuration: We do not accept several domain names in one request. It thus depends on how ddclient treats the combined configuration: If it sends only one request containing two domains, it will not work. However, if ddclient splits things into two requests, the “combo configuration” may work.
Hi to all,
here is the summary of how i got it working:
- [WebInterface] Create a domain - e.g.
- [WebInterface] Create a subdomain - e.g.
- [WebInterface or API] Read the “DS” records of
- [Webinterface] Add the (three) DS records of
myservice.mydomain.dedyn.io as DS records to
- [Webinterface] Add an “NS” record in
myservice, Hostname(s): the Hostnames of the “NS” record of
6) [Mail]: To the desec support with the request to set the TTL of the NS records of
myservice.mydomain.dedyn.io from 3600s to 60s
For the ddclient configuration I use a workaround:
- different ddclient configurations (one for each domain/subdomain) which I run at different times.
There is most probably a better solution to this … but I haven’t found it yet.
P.S. in addition to the Verisign DNSSEC Analyzer i found the DNSVisz tool from Verisign very helpful