DNS - Delegation, Subzones and scoped API tokens
-
Hello dear Cloudron Community,
maybe you guys can answer me this question.
I am currently using multiple DNS Services like AutoDNS (manual), Hetzner (programmatic), DigitalOcean (programmatic) and Cloudflare (priavte programmatic).I wanted to delegate everything to Hetzner, but then I ran into an issue.
Topic 1 Scoped API tokens
Current status at Hetzner: There is only a simple "global" DNS access token with read-write access.
This is difficult for us as we would actually expect a scoped API token for each delegated subdomain.
With the background that these API tokens are located on systems that are supposed to manage their subzone themselves.
If there is now a worst-case breach of the system with the global DNS API token, we can say goodbye to the entire zone.
I have been told that they are already working hard to make this possible.Topic 2 DNS subzone
Current status at Hetzner: Only the entire zone can be stored at Hetzner and no subzone.
Using the example of our domain "YOU-DOMAIN.de".
The subdomain as subzone "SUB.YOUR-DOMAIN.de" cannot be created at Hetzner. A 422 : invalid TLD You can try reloading the page error occurs. (ps: Error could be more precise, then I would not have called support)
A friendly support employee then explained on the phone that yes, this is not possible right now, the workaround would be to store "YOUR-DOMAIN.de" and set the IN NS records for "SUB.YOUR-DOMAIN.de" to the appropriate Hetzner nameservers.
That would make it work.
However, I don't like this workaround. Because firstly, the Hetzner interface would then complain that the entire zone does not work or the NS records do not point to you, but the delegated zone does.
Secondly, this is then mixed not-working and working, which makes the administration for many DNS zones increasingly crazy and confusing.
"Is the entire zone really with Hetzner or just a subzone?" And this happens every time during administration.Furthermore, this topic is closely linked to the scoped API token topic.
Because for the scoped API token on a zone there must be a subzone, otherwise there is no scope for the delegated subzone. (Confusing text, sorry don't know how I could formulate it better)
So:
- did you guys run into similar issues with other DNS providers supported by Cloudron?
- did you find a DNS provider which meets all your (and my) required expectations?
Cloudflare meets my expectations on a feature level, but I can't use their services due to a company policy.
Thanks for reading! Looking forward for some insights
ps: I am checking out desec.io now to see if they can match my expectations
-
@BrutalBirdie I had the same issue when I wanted to move all my DNS stuff from Cloudflare to Hetzner (after they stopped charging for it and Cloudron added it as provider) and they told me the same thing, that they're will be working on it (although back then it might have actually been a feature request).
For servers where customers have root access and would be able to read the access token, after the initial setup I switched back to wildcard so there's no API key to be found. Not the nicest solution, but it was a start.
-
Scoping tokens to a specific domain is hard to come by. This is also why we are stuck to route53 (for cloudron.io) . The
demo.cloudron.iois added as a separate zone and we are able to create access keys that are scoped to just that zone. This is required for the safety ofcloudron.ioitself .
