Netcup Domain with DynDNS and Wildcard Subdomains

Hello there,

I would like to link my Netcup Domain to deSEC and from deSEC to my FritzBox.

1. So I put in the two deSEC Nameservers and set up DNSSEC as well. Is it setup correctly? The flags and the algrorithm and IPv4 / IPv6 blank?

DeSEC11536×908 27 KB

2. Now I would like to link deSEC (dynDNS) to my Fritzbox, so that I can use wildcard subdomains. How can I achieve that?

My deSEC record Sets are:
NS ns.desec.io. ns2.desec.org.
A CurrentExternalHomeIPv4
AAAA CurrentExternalHomeIPv6
CNAME * mydomain.de

3. Is this setup the right way? Do the IPv4 and IPv6 changes automatically?
4. Is it now possible to link with the auth token to my Fritzbox? (Configuring your dynDNS Client — deSEC DNS API documentation)

Check with a tool such as DNSViz to see if DNSSEC is correctly set up.

BTW: The public key is published in the DNS system. No need to hide it as it would be very hard to get any useful information from that, without first knowing the domain name.

Hopefully that is a typo? The NS should be: ns1.desec,io., ns2.desec.org.

You can’t have a CNAME at the domain apex (if that is what you are trying to do). Having a wildcard (*) subdomain with a CNAME precludes other subdomains, such as for your LAN hosts.

The documentation specifically describes how to set up dynDNS with a FRITZ!Box: Example: Fritz!Box Devices

The AAAA record updated by the FRITZ!Box is only good if you want to reach the FRITZ!Box itself. To reach LAN clients via IPv6 more work is needed.

HTH
fiwswe

The notation is “type subname value”, so type=CNAME, subname=*, value=“mydomain.de”: Make every subdomain that doesn’t exist the same as mydomain.de.

That is incorrect. The rules for wildcard records are actually complicated, but broadly speaking, a wildcard CNAME can safely coexist with specific subdomains.

I wasn’t sure about the format used. So I thought to mention this incase that was the intention.

Hmm, you may be right. But there is also:

If a CNAME record is present at a node, no other data should be present;

→ CNAME record

Which one takes precedence?

RFC 4592 section 3.3.3 is supposed to clear this up but frankly, I can’t make sense of it right now.

However after some research I think you are correct. RFC 1034 section 4.3.3 specifies that an actual RRset takes precedence over a wildcard record.

I was able to confirm this in an experiment similar to the following as well.

example.com.       3600 IN A     198.51.100.42
*.example.com.     3600 IN CNAME example.com.
host1.example.com. 3600 IN A     198.51.100.43

A query for host1.example.com. A yielded 198.51.100.43. So I guess your interpretation is proven to be correct.

Thanks for the correction!

It gets weirder:

example.com.         3600 IN A     198.51.100.42
*.example.com.       3600 IN TXT   "wildcard"
www.sub.example.com. 3600 IN A     198.51.100.43

Some domains with a TXT record:
sub2.example.com
test.sub2.example.com
a.long.list.of.labels.example.com

Some domains without TXT record:
sub.example.com
another.sub.example.com

Note that sub.example.com has no other records either, and another.sub.example.com is never even mentioned and has no records, but descends from sub.example.com, and that exists because of the A record on www.sub.example.com, so the wildcard doesn’t apply to sub.example.com and anything below it. (Actually sub.example.com exists but has no records, another.sub.example.com has no records because it’s NXDOMAIN).

IPv6 has no priority. So it is a task for later.

I know that this is a public and not a private key but safe is safe;)

This is a typo problem everytime I would like to add an . at the end. Netcup does not save the changes.

I would like to put my reverse proxy caddy behind the Fritzbox. I would also like to use my main domain and subdomains. So what do you think? Is it possible to point a CNAME Wildcard Record to my main domain?
And do I have to set the A-Record manually when it should be automatically changed by the api? I have to reference it, so it has to be set, right?

Thank you. I am new to this and you have already helped me a lot.

Assuming that you are on a typical home setup with dynamic IPs then you will need to adjust the DNS A record when your public IP changes if you want the hostname to correctly resolve. That is what dynDNS is supposed to solve.

If you only care about the IPv4 address then set up your FRITZ!Box to update the A record automatically. Set up port forwarding to your LAN host on the FRITZ!Box and configure your service there.

What you do with the wildcard subdomains or CNAMEs is a separate issue.

And of course the first step would be to make sure DNSSEC is set up correctly.

Possible, sure. The question is, what problem will this solve?

My recommendation: Take this one step at a time:

1. DNSSEC
2. dynDNS
3. Any wildcard subdomain/CNAME juggling you want to do.

And BTW: The dynDNS IP Update API works fine on a subdomain. You don’t have to set the A/AAAA records at the domain apex if you don’t want to. So you may not need any wildcard subdomain/CNAME at all.

Okay I have started from scratch. The first Screenshot from above shows my config. I have not changed there anything at all. I have deleted all entries in the desec interface. That is my result with the dnssec test:

DNSSECDomainProof1012×756 74.2 KB

Without knowing the actual domain name we can only speculate. The lines in the screenshot referencing netcup nameservers indicate that the domain is not even delegated to deSEC yet.

Now netcup might or might not offer DNSSEC themselves. I have no info about that. But if you want to use their nameservers and their DNSSEC then you are discussing this in the wrong forum. The same goes for some sort of dynDNS support. Since we are discussing this here, the assumption is that you want to use deSEC.

Things to check:

• Verify which are the authoritative nameservers for the domain? (dig domainname ns or dig domainname soa should give the answer.) If you want to use deSEC then these should be ns1.desec.io, ns2.desec.org. Note that setting the NS records in the zone at your current provider (netcup) is not enough. The domain must be delegated to deSEC, i.e. the NS delegation records must be set in the parent zone (.de). Most domain registrars allow delegation to different nameservers in their web UIs.
• To get DNSSEC to work (once the authoritative nameservers support that) the DS records must be set, again in the parent zone (.de). Again the domain registrar will need to communicate with the .de registry to do this, as the domain owner (you) doesn’t have a direct contractual relationship with the registry.

Hint: In my experience with multiple domain registrars the .de registry wants the DNSKEY values not the DS values for setting the DS records. Consequently the domain registrar will also want this value to handle setting the DS records in the parent zone.

In summary:

• Delegate the domain to deSEC.
• Get DNSSEC working (DS records in the parent zone).

I would like to use desec. I have written to the Netcup support team and they mentioned the .de registrar proof domain: https://nast.denic.de/ I put in the desec domains and have no issues. So I think I have to wait until netcup has configured it.

Disclaimer: I have never used netcup.

Going by their FAQ you can set the authoritative nameservers yourself. No support ticket required.

They even seem to have a web UI for setting up DNSSEC with external nameservers:

Yes, I know. That is what I have done in my first screenshot above. But it is not applied directly as shown in your Documentation link.

Since we are going back to check the basics: Did you register your domain through netcup or some other domain registrar?

I have registered it through netcup.

Ok. So if you have problems getting their documented methods to work, contacting their support is the correct way to solve this. Let’s wait until the the domain has been delegated to deSEC.

Just chiming in as a Netcup customer. The Netcup side setup looks about right to me. Mine seems to be identical and my domains got delegated to deSEC without any issues.
I don’t recall how long it took for the changes to propagate, but it wasn’t excessively long.

Okay it was a problem on the side of netcup. The support has fixed it. Now the correct nameservers are set.
Now it is time to continue with DynDns. I am not sure how to do it.
First possible config: Set DynDNS up with my apex domain. Then create CNAME records to the Apex Domain. But I have read that CNAME entries to the apex should not be set. This is what you have already mentioned above (cf. CNAME limitaitions paragraph: Why a domain’s root can’t be a CNAME — and other tidbits about the DNS).
Second possible config: Set DynDNS up with a Subdomain. Then refer CNAME entries to it. This is maybe the better configuration because you should not set CNAME records to Apex. But is it possible to use DynDNS with a Subdomain which has no explicit record set in the desec interface?

Not sure if this is a misunderstanding or not. You can not set a CNAME on the domain apex itself. But you can set a CNAME to point to the domain apex. E.g. for the domain example.com:
@ 3600 IN CNAME sub.example.com. (✘ is not allowed! And it does not matter where the CNAME points to.)
sub 3600 IN CNAME example.com. ( is fine.)

I know that. I have not mentioned it correctly. I meant it like you but should I use a subdomain oder main domain to point to my home IP with DynDNS.
I think I am going to test it with a sub and refer with CNAME to this sub.

Fine. You can always change this later.

Why? Just name what you called sub correctly. Then you don’t need a CNAME to point to it. One less DNS query for the clients.