DNS Zone Just for the Server Hostname
What's the recommended practice here? Should the server hostname server.example.com subdomain be an A record in its apex domain's DNS zone (example.com), or should we create a DNS zone just for the server hostname?
-
Hey hey! I personally prefer to keep it all in one zone, especially if you're also hosing the DNS locally.
1 -
I see this is the default with most providers. What are the possible downsides of having it as a separate zone? There is a service that I wish to add my server.example.com hostname to, but it requires that it has its own DNS zone (with its own SOA record) to add it.
0 -
The only downside is remembering that it's a unique zone if something comes up in the future and you go to adjust the main domain but it doesn't change the hostname and you can't figure out why. There's really no functional downside to either system.
1 -
OK, I presume I can do this (create a DNS zone) with every subdomain I want, since the server hostname is a subdomain?
Also, since it is more specific, does the subdomain zone take precedence over the apex zone when it comes to resolving? I ask this in case both the apex and the subdomain zone happen to carry the same A record for the subdomain. Which one is considered?
0 -
When trying to create a zone for server.example.com in WHM I got this:
Results of adding zone server.example.com
Sorry, a DNS entry for server.example.com already existsI assure you, it doesn't exist, other than an A record for it in the parent zone. Should I remove it and try again? Can you please test this on your end?
0 -
That was exactly it. To remove a subdomain from its apex zone, its A record must first be removed from the apex zone. Everything is working fine.
Can you at least comment on the existence of an A record in both the apex and subdomain zones? Which takes precedence?
0 -
I would expect the apex zone to take precedence if that exists. The hostname-specific zone should only get referenced if there's no other option for the domain.
1 -
A few years back, I asked you how to include the NS hostnames in the SSL cert, so you advised that the only way for Apache to include them is for them to be present in a virtualhost, either through ServerName or ServerAlias directive.
To achieve this, I parked them on top of my main domain, of which they were subdomains. They became ServerAlias in the main domain's VH, which gave them SSL protection, plus they got their own DNS zones.
I'm only mentioning this because this was a similar case. Here, I manually created the DNS zone and didn't need the parking, because cPanel already has a way of automatically protecting the server hostname via AutoSSL.
0 -
Yes - the hostname certificate runs on its own tool outside of the user domains AutoSSL system. That may have been different a few years ago, though.
1 -
Still works perfectly, though. One question, about the server hostname SSL CA provider, is it Let's Encrypt? I remember being cPanel CA before.
PS. Having separate zones for NS and the server hostnames is much more elegant. I also can't wait for you to redesign the system to remove the subdomain requirement for addon domain creation.
0 -
Yes, at this point it's all under Let's Encrypt, but you're correct that it used to be under the cPanel CA in the past.
If you haven't yet, you can always leave your thoughts here about that change:
https://features.cpanel.net/c/100-remove-subdomain-requirement-for-addon-domain-creation
I think it's something we'd ALL like to see change. It's just a massive project since it's been core to hour cPanel functions since its inception.
1 -
I'm asking about the CA because I started using CAA record to harden my security a bit by limiting cert issuance to LE only.
I already left a few times. :) I even had the request before on the old site. I'm sure this one would take time to redesign and properly update around the world.
0 -
On that note, I realized that cPanel enforces the legacy syntax (RFC 3597 Generic Record Syntax) for CAA records, instead of the modern:
This is barely readable when inspecting raw zone files, which I do. You should make a toggle in the Tweak Settings for it. For example, I'm a server admin who keeps track of the software versions that support the interpretation of the modern syntax, so I would safely turn off the usage of legacy syntax.
domain.com. 14400 IN TYPE257 \# 22 000569737375656C657473656E63727970742E6F7267
domain.com. 14400 IN 0 issue "letsencrypt.org"0 -
So you'd like to see a toggle between modern and legacy?
1 -
Yes, sorry for this long pause.
0 -
It sounds like a good idea to me! I've submitted a feature request and I'll bring it up with the team during tomorrow's meeting. I'll let you know once I've heard more.
1 -
Thank you!!!
0 -
I created case CPANEL-51291 with our team to see if they can either create a toggle or just switch to the more modern view. I've linked this thread to the case so I'll be sure to post any updates I hear!
1 -
Thank you!
0 -
You're very welcome! To *me* this seems like a no brainer/easy win/better user experience, but I'll let you know once I have more details.
1 -
Yes, you are right. I hope we're not overlooking something important because of which they have to keep it backward compatible.
0 -
That's always a risk I try and explain to users - just because we *could* change something for the better, doesn't mean it may not break something else, or breaks how a user has been using a tool since 2005. But hopefully this isn't one of those cases.
1 -
I’ve learned that being a good admin means being at peace with things like that - but progress rarely comes from peace. :)
0
Please sign in to leave a comment.
Comments
23 comments