lieuwe/hugo-site
1
0
Fork 0
mirror of https://github.com/lleene/hugo-site.git synced 2025-01-23 12:02:22 +01:00
Code Issues Packages Projects Releases Wiki Activity
hugo-site/content/posts/domain-setup.md
Lieuwe Leene b5d1242dc5
content update oct 2021
2021-10-27 00:27:09 +02:00

55 lines
3.0 KiB
Markdown
Raw Blame History

---
title: "Domain Setup ☄💻"
date: 2021-09-19T17:14:03+02:00
draft: false
---
## DNS Records
The main part of setting up a domain is configuring your
[DNS Records](https://en.wikipedia.org/wiki/List_of_DNS_record_types). This
basically dictates how your physical machine address is mapped to your human
readable service names. I mainly use this domain for web services together
self hosted email. As such I outlined the relevant records below that these
services require.
| Name | Description
| ----------------------------------------------- | -----------------------
| **A** Address record | physical IPv4 address associated with this domain
| **CNAME** Canonical name record | Alias name for A record name. This is generally for subdomains (i.e. other.domain.xyz as alias for domain.xyz both served the same machine)
| **CAA** Certification Authority Authorization | DNS Certification Authority Authorization, constraining acceptable CAs for a host/domain.
| **DS** Delegation signer | The record used to identify the DNSSEC signing key of a delegated zone
| **MX** Mail exchange record | Maps a domain name to a list of message transfer agents for that domain
| **TXT** Text record | Carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, DMARC, DNS-SD, etc.
The essential records for web services are the A and CNAME records which enable
correct name look up when outside you private network. Nowadays SSL should be
part and so specifying which certification authority you use should be set in
the CAA record. Most likely this will be `letsencrypt.org` which pretty much
provides SSL certificate signing free of charge securing your traffic to some
extent. In combination there should be a DS record here that presents your
public signing key used by your machine's SSL setup and allows you to
setup DNSSEC on your domain.
The other records are required for secure email transfer. First you need the
equivalent of a name record, the MX record which should point to another A
record and may or may not the same machine / physical address as the domain
hosting your web-services. Signing your email is similar to SSL encryption
should be an essential part of your setup. A SMTP set-up with postfix
can do so by using [openDKIM](http://www.opendkim.org/). This will require
you to similarly provide your public signing key as a TXT record.
```bash
"v=DKIM1;k=rsa;p=${key_part1}"
"${key_part2}"
```
The TXT record will look something like the above statement. There are some
inconveniences unfortunately when using RSA in combination with a high entropy
which yields a long public key. You need to break this key up into multiple
strings which the `openkdim` tool may or may not do by default as there is a
maximum character length for each TXT entry element. As long as no semi-colons
are inserted this should just work as expected.
Reference in New Issue View Git Blame Copy Permalink