Check with a tool such as DNSViz to see if DNSSEC is correctly set up.
BTW: The public key is published in the DNS system. No need to hide it as it would be very hard to get any useful information from that, without first knowing the domain name.
Hopefully that is a typo? The NS should be: ns1.desec,io., ns2.desec.org.
You canât have a CNAME at the domain apex (if that is what you are trying to do). Having a wildcard (*) subdomain with a CNAME precludes other subdomains, such as for your LAN hosts.
The documentation specifically describes how to set up dynDNS with a FRITZ!Box: Example: Fritz!Box Devices
The AAAA record updated by the FRITZ!Box is only good if you want to reach the FRITZ!Box itself. To reach LAN clients via IPv6 more work is needed.
The notation is âtype subname valueâ, so type=CNAME, subname=*, value=âmydomain.deâ: Make every subdomain that doesnât exist the same as mydomain.de.
That is incorrect. The rules for wildcard records are actually complicated, but broadly speaking, a wildcard CNAME can safely coexist with specific subdomains.
example.com. 3600 IN A 198.51.100.42
*.example.com. 3600 IN TXT "wildcard"
www.sub.example.com. 3600 IN A 198.51.100.43
Some domains with a TXT record: sub2.example.com test.sub2.example.com a.long.list.of.labels.example.com
Some domains without TXT record: sub.example.com another.sub.example.com
Note that sub.example.com has no other records either, and another.sub.example.com is never even mentioned and has no records, but descends from sub.example.com, and that exists because of the A record on www.sub.example.com, so the wildcard doesnât apply to sub.example.com and anything below it. (Actually sub.example.com exists but has no records, another.sub.example.com has no records because itâs NXDOMAIN).
I know that this is a public and not a private key but safe is safe;)
This is a typo problem everytime I would like to add an . at the end. Netcup does not save the changes.
I would like to put my reverse proxy caddy behind the Fritzbox. I would also like to use my main domain and subdomains. So what do you think? Is it possible to point a CNAME Wildcard Record to my main domain?
And do I have to set the A-Record manually when it should be automatically changed by the api? I have to reference it, so it has to be set, right?
Thank you. I am new to this and you have already helped me a lot.
Assuming that you are on a typical home setup with dynamic IPs then you will need to adjust the DNS A record when your public IP changes if you want the hostname to correctly resolve. That is what dynDNS is supposed to solve.
If you only care about the IPv4 address then set up your FRITZ!Box to update the A record automatically. Set up port forwarding to your LAN host on the FRITZ!Box and configure your service there.
What you do with the wildcard subdomains or CNAMEs is a separate issue.
And of course the first step would be to make sure DNSSEC is set up correctly.
Possible, sure. The question is, what problem will this solve?
My recommendation: Take this one step at a time:
DNSSEC
dynDNS
Any wildcard subdomain/CNAME juggling you want to do.
And BTW: The dynDNS IP Update API works fine on a subdomain. You donât have to set the A/AAAA records at the domain apex if you donât want to. So you may not need any wildcard subdomain/CNAME at all.
Okay I have started from scratch. The first Screenshot from above shows my config. I have not changed there anything at all. I have deleted all entries in the desec interface. That is my result with the dnssec test:
When I check the Nameservers with MXToolBox DNS Lookup: It says âSorry, we couldnât find any name servers for mydomain.deâ. What am I doing wrong?
Without knowing the actual domain name we can only speculate. The lines in the screenshot referencing netcup nameservers indicate that the domain is not even delegated to deSEC yet.
Now netcup might or might not offer DNSSEC themselves. I have no info about that. But if you want to use their nameservers and their DNSSEC then you are discussing this in the wrong forum. The same goes for some sort of dynDNS support. Since we are discussing this here, the assumption is that you want to use deSEC.
Things to check:
Verify which are the authoritative nameservers for the domain? (dig domainname ns or dig domainname soa should give the answer.) If you want to use deSEC then these should be ns1.desec.io, ns2.desec.org. Note that setting the NS records in the zone at your current provider (netcup) is not enough. The domain must be delegated to deSEC, i.e. the NS delegation records must be set in the parent zone (.de). Most domain registrars allow delegation to different nameservers in their web UIs.
To get DNSSEC to work (once the authoritative nameservers support that) the DS records must be set, again in the parent zone (.de). Again the domain registrar will need to communicate with the .de registry to do this, as the domain owner (you) doesnât have a direct contractual relationship with the registry.
Hint: In my experience with multiple domain registrars the .de registry wants the DNSKEY values not the DS values for setting the DS records. Consequently the domain registrar will also want this value to handle setting the DS records in the parent zone.
In summary:
Delegate the domain to deSEC.
Get DNSSEC working (DS records in the parent zone).
I would like to use desec. I have written to the Netcup support team and they mentioned the .de registrar proof domain: https://nast.denic.de/ I put in the desec domains and have no issues. So I think I have to wait until netcup has configured it.
Ok. So if you have problems getting their documented methods to work, contacting their support is the correct way to solve this. Letâs wait until the the domain has been delegated to deSEC.
Just chiming in as a Netcup customer. The Netcup side setup looks about right to me. Mine seems to be identical and my domains got delegated to deSEC without any issues.
I donât recall how long it took for the changes to propagate, but it wasnât excessively long.
Okay it was a problem on the side of netcup. The support has fixed it. Now the correct nameservers are set.
Now it is time to continue with DynDns. I am not sure how to do it.
First possible config: Set DynDNS up with my apex domain. Then create CNAME records to the Apex Domain. But I have read that CNAME entries to the apex should not be set. This is what you have already mentioned above (cf. CNAME limitaitions paragraph: Why a domainâs root canât be a CNAME â and other tidbits about the DNS).
Second possible config: Set DynDNS up with a Subdomain. Then refer CNAME entries to it. This is maybe the better configuration because you should not set CNAME records to Apex. But is it possible to use DynDNS with a Subdomain which has no explicit record set in the desec interface?
Not sure if this is a misunderstanding or not. You can not set a CNAME on the domain apex itself. But you can set a CNAME to point to the domain apex. E.g. for the domain example.com: @ 3600 IN CNAME sub.example.com. (â is not allowed! And it does not matter where the CNAME points to.) sub 3600 IN CNAME example.com. ( is fine.)
I know that. I have not mentioned it correctly. I meant it like you but should I use a subdomain oder main domain to point to my home IP with DynDNS.
I think I am going to test it with a sub and refer with CNAME to this sub.