DNSSEC delegation issue on codeberg.page for custom (sub)domains? #712

Open
opened 1 month ago by jwildeboer 路 8 comments

As I use the CNAME approach for my blog https://jan.wildeboer.net and as I have DNSSEC configured for my domain wildeboer.net, I run into a little snafu with DNS from codeberg:

tells me that codeberg.page does not have the RRSIGs, DS or DNSKEY needed to verify the chain.

I guess (as I am no DNSSEC expert) that you haven't enabled DNSSEC for the codeberg.page domain?

image

I am quite sure that simply switching DNSSEC on for codeberg.page could potentially be a problematic act, but if it can be done - would be very nice!

(I also note that both my domain wildeboer.net and codeberg.page are using Gandi DNS, so there's that ;)

So if you want to test with a staging domain sometime in the future - happy to be part of the test team :)

If there is a better way to point jan.wildeboer.net to jwildeboer.jwildeboer.codeberg.page than the CNAME approach I am using currently - please do tell me!

As I use the CNAME approach for my blog https://jan.wildeboer.net and as I have DNSSEC configured for my domain wildeboer.net, I run into a little snafu with DNS from codeberg: - https://dnssec-analyzer.verisignlabs.com/jan.wildeboer.net tells me that codeberg.page does not have the RRSIGs, DS or DNSKEY needed to verify the chain. I *guess* (as I am no DNSSEC expert) that you haven't enabled DNSSEC for the codeberg.page domain? ![image](/attachments/7447089d-c67e-48c4-8d6f-6f5cb9e2262d) I am quite sure that simply switching DNSSEC on for codeberg.page could potentially be a problematic act, but if it can be done - would be very nice! (I also note that both my domain wildeboer.net and codeberg.page are using Gandi DNS, so there's that ;) So if you want to test with a staging domain sometime in the future - happy to be part of the test team :) If there is a better way to point jan.wildeboer.net to jwildeboer.jwildeboer.codeberg.page than the CNAME approach I am using currently - please do tell me!
201 KiB

There we go again: #83

There we go again: [#83](https://codeberg.org/Codeberg/pages-server/issues/83)
Poster

Uhm. No. That is a completely different thing. My CNAME setup works without problem, it's just the DNSSEC that doesn't fully validate due to codeberg.page not having DNSSEC enabled.

Uhm. No. That is a completely different thing. My CNAME setup works without problem, it's just the DNSSEC that doesn't fully validate due to codeberg.page not having DNSSEC enabled.
rwa added the
enhancement
pages
labels 1 month ago
Collaborator

of course you dont know much, but your setup is tight.. anyway? does this affect all users with a page? not your business right? just tell me there exists a person who at least has access

of course you dont know much, but your setup is tight.. anyway? does this affect all users with a page? not your business right? just tell me there exists a person who at least has access ![](https://design.codeberg.org/)
Poster

If you want to blame shame me, go ahead. That is BTW the codeberg server setup, as jan.wildeboer.net is CNAMEd to jwildeboer.jwildeboer.codeberg.page. And SSL/TLS config is unrelated to DNSSEC.

If you want to blame shame me, go ahead. That is BTW the codeberg server setup, as jan.wildeboer.net is CNAMEd to jwildeboer.jwildeboer.codeberg.page. And SSL/TLS config is unrelated to DNSSEC.
Poster

So if you think the SSL/TLS config of the codeberg page server needs some corrections/upgrades, please feel free to open a separate ticket on that. This issue is about DNSSEC, IMHO.

So if you think the SSL/TLS config of the codeberg page server needs some corrections/upgrades, please feel free to open a separate ticket on that. This issue is about DNSSEC, IMHO.
Collaborator

We don't yet have DNSSEC enabled, I can't tell if there's a reason for it or not. I know there are many opinions about DNSSEC if you ask some people ...

We don't yet have DNSSEC enabled, I can't tell if there's a reason for it or not. I know there are many opinions about DNSSEC if you ask some people ...
Poster

Same as with SSL/TLS config ;) So far I had one report by a reader of my blog that he couldn't resolve jan.wildeboer.net due to strict DNSSEC on his side.

It's more of a "if it doesn't hurt and doesn't cause too much work - why not try?" question. Maybe on codeberg-test.org and if it works discuss again if the switch can be made for the codeberg.page domain.

Same as with SSL/TLS config ;) So far I had one report by a reader of my blog that he couldn't resolve jan.wildeboer.net due to strict DNSSEC on his side. It's more of a "if it doesn't hurt and doesn't cause too much work - why not try?" question. Maybe on codeberg-test.org and if it works discuss again if the switch can be made for the codeberg.page domain.
fnetX added the
infrastructure
codeberg
labels 3 weeks ago
Collaborator

@momar you should have access to the DNS config and have written the inital pages server, can you please take care of this issue?

@momar you should have access to the DNS config and have written the inital pages server, can you please take care of this issue?
Sign in to join this conversation.
No Milestone
No Assignees
4 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Codeberg/Community#712
Loading鈥
There is no content yet.