DNS configuration with subdomains

,

Hello everyone, I hope you guys can help me. It’s about the configuration of the DNS zones:

I have a domain, e.g. mydomain.com. Now I would like to install different apps like searx, invidious, nitter, peertube on corresponding subdomains: search.mydomain.com, nitter.mydomain.com, invidious.mydomain.com, etc…

The instructions state “For some special requirements … you may need to modify this recommendation or add other records (for example, to handle subdomains).”
Unfortunately, it doesn’t say what changes should be made when subdomains are configured.

I am new to all this and I dont know, if the changes that I’ve made, are right. How must my DNS zones file look like so that everything works smoothly?

Below is an example of my current configuration as BIND file. Does that look fine or are there any improvements to make; should I make any changes to this one?

$ORIGIN mydomain.com.
$TTL 3600
mydomain.com.	IN	SOA	xx.xxx.xx. hostmaster.myhoster.com. ( 2022010607 10800 3600 604800 3600 )
mydomain.com.	IN	NS	xx.xxx.xx.
mydomain.com.	IN	NS	xx.xxx.xx.
mydomain.com.	IN	NS	x.xxx.xxx.
*.peertube.mydomain.com.	IN	AAAA	some:ip
peertube.mydomain.com.	IN	AAAA	some:ip
*.nitter.mydomain.com.	IN	AAAA	some:ip
nitter.mydomain.com.	IN	AAAA	some:ip
*.invidious.mydomain.com.	IN	AAAA	some:ip
invidious.mydomain.com.	IN	AAAA	some:ip
*.search.mydomain.com.	IN	AAAA	some:ip
search.mydomain.com.	IN	AAAA	some:ip
*.mydomain.com.	IN	AAAA	some:ip
mydomain.com.	IN	AAAA	some:ip
*.peertube.mydomain.com.	IN	A	some:ip
peertube.mydomain.com.	IN	A	some:ip
*.nitter.mydomain.com.	IN	A	some:ip
nitter.mydomain.com.	IN	A	some:ip
*.invidious.mydomain.com.	IN	A	some:ip
invidious.mydomain.com.	IN	A	some:ip
*.search.mydomain.com.	IN	A	some:ip
search.mydomain.com.	IN	A	some:ip
*.mydomain.com.	IN	A	some:ip
mydomain.com.	IN	A	some:ip
peertube.mydomain.com.	IN	MX	10 peertube.mydomain.com.
nitter.mydomain.com.	IN	MX	10 nitter.mydomain.com.
invidious.mydomain.com.	IN	MX	10 invidious.mydomain.com.
search.mydomain.com.	IN	MX	10 search.mydomain.com.
mydomain.com.	IN	MX	10 mydomain.com.
vjud.mydomain.com.	IN	CNAME	mydomain.com.
xmpp-upload.mydomain.com.	IN	CNAME	mydomain.com.
muc.mydomain.com.	IN	CNAME	mydomain.com.
pubsub.mydomain.com.	IN	CNAME	mydomain.com.
_xmpp-client._tcp.mydomain.com.	IN	SRV	0 5 5222 mydomain.com.
_xmpp-server._tcp.mydomain.com.	IN	SRV	0 5 5269 mydomain.com.
peertube.mydomain.com.	IN	CAA	128 issue "letsencrypt.org"
nitter.mydomain.com.	IN	CAA	128 issue "letsencrypt.org"
invidious.mydomain.com.	IN	CAA	128 issue "letsencrypt.org"
search.mydomain.com.	IN	CAA	128 issue "letsencrypt.org"
mydomain.com.	IN	CAA	128 issue "letsencrypt.org"
mail._domainkey.mydomain.com.	IN	TXT "v=DKIM1; h=sha256; k=rsa; p=somehugekey"	
mail._domainkey.search 3600 IN TXT "v=DKIM1; h=sha256; k=rsa; p=somehugekey"
mail._domainkey.invidious 3600 IN TXT "v=DKIM1; h=sha256; k=rsa; p=somehugekey"
mail._domainkey.nitter 3600 IN TXT "v=DKIM1; h=sha256; k=rsa; p=somehugekey"
mail._domainkey.peertube 3600 IN TXT "v=DKIM1; h=sha256; k=rsa; p=somehugekey"
_dmarc.peertube.mydomain.com.	IN	TXT	"v=DMARC1; p=none"
peertube.mydomain.com.	IN	TXT	"v=spf1 a mx -all"
_dmarc.nitter.mydomain.com.	IN	TXT	"v=DMARC1; p=none"
nitter.mydomain.com.	IN	TXT	"v=spf1 a mx -all"
_dmarc.invidious.mydomain.com.	IN	TXT	"v=DMARC1; p=none"
invidious.mydomain.com.	IN	TXT	"v=spf1 a mx -all"
_dmarc.search.mydomain.com.	IN	TXT	"v=DMARC1; p=none"
search.mydomain.com.	IN	TXT	"v=spf1 a mx -all"
_dmarc.mydomain.com.	IN	TXT	"v=DMARC1; p=none"
mydomain.com.	IN	TXT	"v=spf1 a mx -all"

Thanks for reading through this and for guiding me into the right direction :grinning:

Which instructions ?

The diagnosis should tell you what to configure and wether or not your DNS records are properly configured … what does the diagnosis says ?

https://yunohost.org/en/administrate/install/dns

Diagnosis is ok.

I would like to know, if I have to add a A entry for every sub. Or _dmarc; is it necessary for every subdomain?

It’s only necessary if the correspond app needs to send or receive emails

1 Like

And what about those multiple SPF entries? I think, I’ve read somewhere, that there only should be one such entry in the whole DNS zone configuration, can’t remember, where I saw this.

Would you leave it as it is?

SPF policy discovery works differently than DMARC policy discovery in this regard: if SPF is unable to find an SPF record on a subdomain, it won’t go up to try the organizational domain; instead, SPF will return none as the check result.

https://www.dmarcly.com/blog/how-spf-works-with-subdomains

Note: in some situation, you could replace all subdomains spf and dmarc with:

_dmarc.mydomain.com.	IN	TXT	"v=DMARC1; p=none"
*.mydomain.com.	IN	TXT	"v=spf1 a mx -all"

But, in yunohost we don’t know if we manage the parent domain… So, our suggestions works for more usecases.