On Fri, Jan 18, 2019 at 10:38:12AM -0800, Chris Bennett wrote: > I have had problems with setting up DNS for myself and I need it to be > authoritative.
This means you need at least two servers for this, that will be running nsd (as supplied in base) or another authoritative dns server. Pick one to be the master unless you want to make both replicants and have a hidden master. It's up to you. Once you have a master picked it is the only place where you do zone changes and reloads. Configure DNS notify to let the replicants (also called slaves sometimes) know to transfer a certain zone. For transferring which is done over TCP you should use TSIG keys, but if you can't set up an IPSEC tunnel to protect the exchange between the master and replicant. > I have my domains registered with Godaddy and they do not support for > domains not hosted on their servers. I have been using their DNS without > big problems, except that I'm not getting proper results with regards to > email. I've got a pretty bad problem with spam. I now have two servers, > each with a different company. Perfect. Set up the zones first start nsd and use dig to debug before you tell godaddy to use your own authoritative nameservers (this can be done through their web-interface). > Will that then solve the problems with PTR, DKIM and DMARC? PTR is reverse DNS usually inside in-addr.arpa. or ip6.int. hierarchy. The authority over your subnets is your ISP's who you host with and they may forward in-addr.arpa requests to your nameservers, usually it's uncommon for them to do this as reverse hardly changes, they have a web-interface usually where you can leave your reverse domain hostname for IP. I don't know anything about DKIM or DMARC as I use only SPF. > I also particularly hate the web GUI that Godaddy uses and it's SOA > record is much too long timewise. I'm having some hard time understanding this, usually SOA is used between authoritative nameservers to have some values for refresh, retry, expire. It usually is not relevant for A lookups for example. > Should I set it up with just one of my servers or both? Two servers minimum. You won't be sorry. > One is in Los Angeles and the other is in Miami. > Do I need to use a different one to cover the other server or can I just > use the same one to cover the email stuff like DKIM and DMARC? Hmm, yes when one is down the other takes over redundancy is built-in to DNS. The two servers are usually synchronized with AXFR's. Make sure that your AXFR is safe. Use TSIG if you can, IPSEC if you have no choice between the two servers. > Since I'm having problems from the ground up, this seems like a good > idea to start at. DNS is defined in RFC 1034 and 1035 in its most basic form. Perhaps you want to scan through those. > I'm also seeing conflicting advice on whether I should use multiple A > records for subdomains, like www. smtp. etc. or CNAME. I'd start with A records, CNAME's can get you in trouble (for example using them in the apex of a zone, which is illegal). > Plus it's not clear to me whether to use records like _smtp.tcp or not > bother with those. I'm not sure what you mean here... the form _service._tcp.something. is used in SRV resource records, for services like SIP...I am unaware of it using SRV for mail. There is TLSA RR's that use _25._tcp.hostname.tld. for things such as DANE, but that's pretty hardcore stuff for a newbie. I'd establish a simple setup at first and grow with it. > I have spent a lot of time reading pages on all of these subjects but I > have yet to find a complete example of all DNS records for a site. > Would anyone care to share one with me? A good list is found on wikipedia: https://en.wikipedia.org/wiki/List_of_DNS_record_types You likely need only the basic ones, MX, A, AAAA, NS, SOA, TXT, and maybe PTR. After you have some experience with these plaintext RR's you can go further and add DNSSEC to your setup to have integrity. For this I'd recommend you get a book. Getting a book for this is a good idea anyhow, either way. > Thanks, > Chris Bennett Regards, -peter
