3.6 KiB
title | date | draft |
---|---|---|
Domain Setup ☄💻 | 2021-09-19T17:14:03+02:00 | false |
DNS Records
The main part of setting up a domain is configuring your DNS Records. This basically dictates how your physical machine address is mapped to your human readable service names. I mainly use this domain for web services together self hosted email. As such I outlined the relevant records below that these services require.
Name | Description |
---|---|
A Address record |
// physical IPv4 address associated with this domain |
CNAME Canonical name record |
Alias name for A record name. This is generally for subdomains (i.e. other.domain.xyz as alias for domain.xyz both served the same machine) |
CAA Certification Authority Authorization |
DNS Certification Authority Authorization, constraining acceptable CAs for a host/domain. |
DS Delegation signer |
The record used to identify the DNSSEC signing key of a delegated zone |
MX Mail exchange record |
Maps a domain name to a list of message transfer agents for that domain |
TXT Text record |
Carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, DMARC, DNS-SD, etc. |
The essential records for web services are the A and CNAME records which enable
correct name look up when outside you private network. Nowadays SSL should be
part and so specifying which certification authority you use should be set in
the CAA record. Most likely this will be letsencrypt.org
which pretty much
provides SSL certificate signing free of charge securing your traffic to some
extent. In combination there should be a DS record here that presents your
public signing key used by your machine's SSL setup and allows you to
setup DNSSEC on your domain.
The other records are required for secure email transfer. First you need the equivalent of a name record, the MX record which should point to another A record and may or may not the same machine / physical address as the domain hosting your web-services. Signing your email is similar to SSL encryption should be an essential part of your setup. A SMTP set-up with postfix can do so by using openDKIM. This will require you to similarly provide your public signing key as a TXT record.
"v=DKIM1;k=rsa;p=${key_part1}"
"${key_part2}"
The TXT record will look something like the above statement. There are some
inconveniences unfortunately when using RSA in combination with a high entropy
which yields a long public key. You need to break this key up into multiple
strings which the openkdim
tool may or may not do by default as there is a
maximum character length for each TXT entry element. As long as no semi-colons
are inserted this should just work as expected.
Debugging DNS Issues
Often is things don't go as expected. Especially with DNS related issues since caching prevents real-time corrections.
nslookup leene.dev
dig $DOMAIN_NAME $RECORD_NAME
Two of the better tools here is nslookup and dig. The first will generally tell you how and where you name lookup is being resolved. Sometimes this may not be as expected so its always good to double check. The second is literally a DNS utility that lets you query specific records. For example testing your openDKIM setup relies on the DNS record correctly being set.