starred/acme-dns

Fork 0

mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 04:45:48 +03:00

[GH-ISSUE #196] DNS Provider not Allowing NS and A Recs for the Same Domain #87

New issue

Closed

opened 2026-03-13 15:43:39 +03:00 by kerem · 7 comments

kerem commented

2026-03-13 15:43:39 +03:00

Owner

Originally created by @svoop on GitHub (Nov 8, 2019).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/196

The setup for acme-dns requires both a NS record and an A record to exist for the zone subdelegated to acme-dns. As explained in the docs:

https://github.com/joohoi/acme-dns#dns-records

The records look something like this:

auth.example.com. 600 IN A 100.111.122.133
auth.example.com. 600 IN NS auth.example.com.

My current DNS provider dyn.com accepts this, but since it has been bought by Oracle, they decided to shortcut what they consider "lifelong license". My new DNS provider eurodns.com handles this case stricter. It is not possible to have both records at the same time and the reason they give is somewhat plausible:

If you subdelegate the zone for the host acme.example.com to external name servers, then you cannot have an A record to point that very same host: acme.example.com to an IP because the zone for the host acme.example.com is no longer managed in the zone of example.com but in the zone created for that host on the external names server.

This leaves me in a kind of limbo. I get that the NS record is what points acme to the instance of acme-dns running on demand on my box, however, I'm not sure who consumes the A record and whether it would be possible to work around this with a CNAME/A combo, a proprietary TXT record or some other hack.

@joohoi Do you see any solution for this?

Originally created by @svoop on GitHub (Nov 8, 2019). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/196 The setup for `acme-dns` requires both a NS record and an A record to exist for the zone subdelegated to `acme-dns`. As explained in the docs: https://github.com/joohoi/acme-dns#dns-records The records look something like this: ``` auth.example.com. 600 IN A 100.111.122.133 auth.example.com. 600 IN NS auth.example.com. ``` My current DNS provider dyn.com accepts this, but since it has been bought by Oracle, they decided to shortcut what they consider "lifelong license". My new DNS provider eurodns.com handles this case stricter. It is not possible to have both records at the same time and the reason they give is somewhat plausible: > If you subdelegate the zone for the host acme.example.com to external name servers, then you cannot have an A record to point that very same host: acme.example.com to an IP because the zone for the host acme.example.com is no longer managed in the zone of example.com but in the zone created for that host on the external names server. This leaves me in a kind of limbo. I get that the NS record is what points acme to the instance of `acme-dns` running on demand on my box, however, I'm not sure who consumes the A record and whether it would be possible to work around this with a CNAME/A combo, a proprietary TXT record or some other hack. @joohoi Do you see any solution for this?

kerem closed this issue

2026-03-13 15:43:44 +03:00

kerem commented

2026-03-13 15:43:50 +03:00

Author

Owner

@Ajedi32 commented on GitHub (Nov 8, 2019):

Look for a dedicated section for setting "glue records". That's what the A records called in this specific case: https://ns1.com/blog/glue-records-and-dedicated-dns

If that's not an option, then I suppose you could point the NS to a different subdomain which isn't part of the subdelegation.

@Ajedi32 commented on GitHub (Nov 8, 2019): Look for a dedicated section for setting "glue records". That's what the A records called in this specific case: https://ns1.com/blog/glue-records-and-dedicated-dns If that's not an option, then I suppose you could point the NS to a different subdomain which isn't part of the subdelegation.

kerem commented

2026-03-13 15:43:55 +03:00

Author

Owner

@svoop commented on GitHub (Nov 8, 2019):

@Ajedi32 Ah, now I get it. The following should do the trick then?

auth.example.com.        600    IN NS    ns1.auth.example.com.
ns1.auth.example.com.    600    IN A     100.111.122.133

The example in the docs uses the same domain name auth.example.com for both which apparently not all of the DNS providers out there like.

@svoop commented on GitHub (Nov 8, 2019): @Ajedi32 Ah, now I get it. The following should do the trick then? ``` auth.example.com. 600 IN NS ns1.auth.example.com. ns1.auth.example.com. 600 IN A 100.111.122.133 ``` The example in the docs uses the same domain name `auth.example.com` for both which apparently not all of the DNS providers out there like.

kerem commented

2026-03-13 15:44:00 +03:00

Author

Owner

@Ajedi32 commented on GitHub (Nov 8, 2019):

No, I don't believe that will work because ns1.auth.example.com is a subdomain of the namespace you're delegating to. You could use something like ns1-auth.example.com though I believe.

@Ajedi32 commented on GitHub (Nov 8, 2019): No, I don't believe that will work because ns1.auth.example.com is a subdomain of the namespace you're delegating to. You could use something like ns1-auth.example.com though I believe.

kerem commented

2026-03-13 15:44:05 +03:00

Author

Owner

@svoop commented on GitHub (Nov 8, 2019):

You're right, makes more sense this way. EuroDNS accepts this. Thanks for your help, @Ajedi32 !

@svoop commented on GitHub (Nov 8, 2019): You're right, makes more sense this way. EuroDNS accepts this. Thanks for your help, @Ajedi32 !

kerem commented

2026-03-13 15:44:10 +03:00

Author

Owner

@svoop commented on GitHub (Nov 8, 2019):

By the way, the subdomain example was "the way to do it" according to the README as of april 2018 (when I set up my box), so seems to work afterall:

github.com/joohoi/acme-dns@7744357b61/README.md (dns-records)

This section was later updated by @Yannik with commit dc0dd43017

@svoop commented on GitHub (Nov 8, 2019): By the way, the subdomain example was "the way to do it" according to the README as of april 2018 (when I set up my box), so seems to work afterall: https://github.com/joohoi/acme-dns/blob/7744357b615dd68eece2a3978e84fe29430b9115/README.md#dns-records This section was later updated by @Yannik with commit dc0dd430174bed60b8fd323b94e39bac78569130

kerem commented

2026-03-13 15:44:15 +03:00

Author

Owner

@Ajedi32 commented on GitHub (Nov 8, 2019):

Yes, I'm saying it probably wouldn't work for you since according to the statement you quoted your DNS provider doesn't seem to support glue records. For a DNS provider which does support glue records it should would work fine (as would the earlier example you gave of just using "auth.example.com" as the name server).

@Ajedi32 commented on GitHub (Nov 8, 2019): Yes, I'm saying it probably wouldn't work for you since according to the statement you quoted your DNS provider doesn't seem to support glue records. For a DNS provider which does support glue records it should would work fine (as would the earlier example you gave of just using "auth.example.com" as the name server).

kerem commented

2026-03-13 15:44:20 +03:00

Author

Owner

@svoop commented on GitHub (Nov 8, 2019):

Well, he does support glue records, he just doesn't support the delegated subdomain and the glue record to be identical.

@svoop commented on GitHub (Nov 8, 2019): Well, he does support glue records, he just doesn't support the delegated subdomain and the glue record to be identical.