DNSSEC delegation issue on codeberg.page for custom (sub)domains?
As I use the CNAME approach for my blog https://jan.wildeboer.net and as I have DNSSEC configured for my domain wildeboer.net, I run into a little snafu with DNS from codeberg:
tells me that codeberg.page does not have the RRSIGs, DS or DNSKEY needed to verify the chain.
I guess (as I am no DNSSEC expert) that you haven't enabled DNSSEC for the codeberg.page domain?
I am quite sure that simply switching DNSSEC on for codeberg.page could potentially be a problematic act, but if it can be done - would be very nice!
(I also note that both my domain wildeboer.net and codeberg.page are using Gandi DNS, so there's that ;)
So if you want to test with a staging domain sometime in the future - happy to be part of the test team :)
If there is a better way to point jan.wildeboer.net to jwildeboer.jwildeboer.codeberg.page than the CNAME approach I am using currently - please do tell me!
Uhm. No. That is a completely different thing. My CNAME setup works without problem, it's just the DNSSEC that doesn't fully validate due to codeberg.page not having DNSSEC enabled.
If you want to blame shame me, go ahead. That is BTW the codeberg server setup, as jan.wildeboer.net is CNAMEd to jwildeboer.jwildeboer.codeberg.page. And SSL/TLS config is unrelated to DNSSEC.
So if you think the SSL/TLS config of the codeberg page server needs some corrections/upgrades, please feel free to open a separate ticket on that. This issue is about DNSSEC, IMHO.
We don't yet have DNSSEC enabled, I can't tell if there's a reason for it or not. I know there are many opinions about DNSSEC if you ask some people ...
Same as with SSL/TLS config ;) So far I had one report by a reader of my blog that he couldn't resolve jan.wildeboer.net due to strict DNSSEC on his side.
It's more of a "if it doesn't hurt and doesn't cause too much work - why not try?" question. Maybe on codeberg-test.org and if it works discuss again if the switch can be made for the codeberg.page domain.
Deleting a branch is permanent. It CANNOT be undone. Continue?