Multiple deSEC Domains going to one shared Website-Hosting - best way?


we’ve just started using deSEC and have to say thanks for the great product and service! It’s a decent product!

As a family we do have several domains which we mainly use as mail-domains. Therefore we do have a website which only shows, that this is a domain which is used for mail-only.

When using deSEC as nameservers we cannot use our old Netcup Standard-Webhosting as Domains are coupled to use the Netcup Mailservers.
After changing to deSEC this is not possible anymore.

We’re now searching for a solution/way to host a simple website (only a few lines of code) for all those domains.
Is there any way to do it in a simple way?

What we don’t want:
When using a small Hetzner server we do have a dedicated IP and everyone with knowledge can see what other domains are hosted under that IP. That’s a thing we don’t want!
We want some kind of shared hosting linked to our domains which are hosted with deSEC.

I hope it was reasonably clear what I am talking about and I hope that it can be implemented?

Your question really has nothing to do specifically with deSEC. Your issues would probably be the same with any other non-Netcup DNS service if I understood your description of their services correctly. And your actual question seems to be about web hosting which is not something deSEC e.V. does.

But to give some advice:
When you are hosting a web server you probably want HTTPS and that requires a certificate.

When you create a (non-self-signed) certificate the data is published so all of the host names mentioned in that certificate become public. I have seen the first requests to hosts for which I created a new certificate come in within a few minutes of certificate creation, so this data is being monitored and used. Thus I would assume that there are services that also determine and collate IP addresses for these hostnames and can then easily figure out, that the same IP is used for multiple hostnames. Add to that scanners such as Shodan et al. that regularly scan most of the Internet.

Even if you use a separate certificate for each hostname, that only makes getting the information slightly harder, but certainly not impossible.

So there really is no way to keep this information private. The best you could do is hide in plain site by getting a cheap account at a web hosting provider that regularly hosts hundreds of sites on the same host/ip. (In your case this would be fine since performance seems to be a very low priority for your simple websites.)

Of course you could also simply not implement a web server for each of your domains. Email service does not require a web server. But that would not really help because your MX records are public as well. And if they all point to the same IP…

Your best bet is to assume that others can determine which hostnames point to your web server and plan your security strategy accordingly. Anything else is wishful thinking.


Do I understand correctly?

  1. you have a shared webhosting package with netcup?

  2. you have domains that are connected to the mail function of this shared netcup web hosting?

  3. you want a website on which your email addresses are listed or a website on which your domains are listed and it is stated that these are used exclusively for mailing?

  4. you want to continue using netcup for your mail?

  5. you are with because?

  6. who is your domain host? Netcup?


I don’t use netcup mail hosting

simple a startpage saying this is a mail-domain

Never did and never want to. I want other mailproviders (but not a big deal because of MX Records, SPF and so on)

Love the service and want to have good/real DNSSEC support

Several hosts…

Today morning I found a solution. Just hosting my domains at Uberspace (there I can have as much external domains as I want).
Domain hosts don’t play a role - and if I want to (what I do) I can put the Nameservers to deSEC and have good/real DNSSEC support and so on.

But only if your domain provider also supports DNSSEC and you can enter DS records via DNS settings or your domain provider is willing to do this for you.

At least as I understand it, simply entering the deSEC name servers in the DNS settings of your domain does not mean that the parent zone of your domain will also be updated.

Unfortunately, this is indeed correct for most parents. There are some TLDs who install DS records automatically via RFC 8078 and optionally draft-ietf-dnsop-dnssec-bootstrapping, but so far that’s only about 10, and .de is not amongst them. See this list: GitHub - oskar456/cds-updates: Info about CDS update support

Stay secure,