Hi. I hope it’s okay to post about this here, as I’m not sure if it’s an issue with desec, OPNsense or the Caddy plugin.
I switched from Cloudflare to desec to handle my domain’s DNS recently, with the Caddy plugin on OPNsense set to update the IP for the domain when it changes. This worked great with Cloudflare, but while the IP gets correctly changed here the action seems to wipe out all my CNAMEs.
Is there any way to avoid this?
You’ll probably need to provide more information.
I assume that you are trying to change A/AAAA records at the domain apex, not on a subdomain? CNAME records are not allowed at the domain apex though. So are you suggesting that CNAMEs with different subdomain names get deleted?
Also, having a CNAME precludes any other RRsets for that subdomain. So if you have A/AAAA records and a CNAME with the same name, that is not a valid configuration in the first place. (And I would wonder how you managed to set this up using the available deSEC configuration options?)
If you only have a CNAME set for a subdomain and then use the deSEC Update API or some other method to set any other RRset, including A/AAAA, I’d expect either an error or that the CNAME RRset gets removed.
→ CNAME record: Restrictions (Wikipedia)
Hi, yes the CNAMES were for various subdomain, all of which targeted the domain name. I had a single A record for the domain containing the IP address. This setup works with Cloudflare, but evidently here the CNAMEs get wiped when the A record gets updated.
You have however made me realise that I can just configure Caddy to set A records for each subdomain, which would probably work, so thank you!
Just to satisfy my curiosity: Was this something like sub1.example.com. CNAME example.com., sub2.example.com. CNAME example.com.? And then you set the A/AAAA records on example.com.? If that action deleted the CNAMEs then something weird is going on. That should not happen.
Yes that should be possible. The IP Update API works fine on subdomains.
Disclaimer: I don’t use OPNsense or Caddy. So I know nothing about their capabilities.
You’re welcome 
That’s exactly it, yes. The CNAMEs stay if I manually change the A record IP, but are deleted if it’s updated over the API from the OPNsense caddy plugin. I’m sure it’s some quirk of Caddy rather than an issue with Desec, but it used to work fine with Cloudflare which threw me.
Yes, I am pretty sure that deSEC is not deleting unrelated CNAMEs when setting A/AAAA records.