lieuwe/hugo-site
1
0
Fork 0
mirror of https://github.com/lleene/hugo-site.git synced 2025-01-23 12:02:22 +01:00
Code Issues Packages Projects Releases Wiki Activity
hugo-site/content/posts/domain-setup.md
Lieuwe Leene b5d1242dc5
content update oct 2021
2021-10-27 00:27:09 +02:00

3.0 KiB
Raw Blame History

title date draft
Domain Setup ☄💻 2021-09-19T17:14:03+02:00 false

DNS Records

The main part of setting up a domain is configuring your DNS Records. This basically dictates how your physical machine address is mapped to your human readable service names. I mainly use this domain for web services together self hosted email. As such I outlined the relevant records below that these services require.

Name Description
A Address record physical IPv4 address associated with this domain
CNAME Canonical name record Alias name for A record name. This is generally for subdomains (i.e. other.domain.xyz as alias for domain.xyz both served the same machine)
CAA Certification Authority Authorization DNS Certification Authority Authorization, constraining acceptable CAs for a host/domain.
DS Delegation signer The record used to identify the DNSSEC signing key of a delegated zone
MX Mail exchange record Maps a domain name to a list of message transfer agents for that domain
TXT Text record Carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, DMARC, DNS-SD, etc.

The essential records for web services are the A and CNAME records which enable correct name look up when outside you private network. Nowadays SSL should be part and so specifying which certification authority you use should be set in the CAA record. Most likely this will be letsencrypt.org which pretty much provides SSL certificate signing free of charge securing your traffic to some extent. In combination there should be a DS record here that presents your public signing key used by your machine's SSL setup and allows you to setup DNSSEC on your domain.

The other records are required for secure email transfer. First you need the equivalent of a name record, the MX record which should point to another A record and may or may not the same machine / physical address as the domain hosting your web-services. Signing your email is similar to SSL encryption should be an essential part of your setup. A SMTP set-up with postfix can do so by using openDKIM. This will require you to similarly provide your public signing key as a TXT record.

"v=DKIM1;k=rsa;p=${key_part1}"
"${key_part2}"

The TXT record will look something like the above statement. There are some inconveniences unfortunately when using RSA in combination with a high entropy which yields a long public key. You need to break this key up into multiple strings which the openkdim tool may or may not do by default as there is a maximum character length for each TXT entry element. As long as no semi-colons are inserted this should just work as expected.