Up-front listing of DNS domain requirements

mcint · March 14, 2024, 9:42pm

I’ve added a number of new apps recently, and many require their own domains. Setting up a domain is essential complexity for an app, so I’m fine with this, quite happy for a pretty minimal cost to get a new piece of functionality set up for myself, my family, my friends, or a community group (or who knows, a company).

However, the process often involves repeated waiting for information from diagnosis to filter into yunohost (requiring a full diagnosis first), before domain DNS configuration can be ignored and rechecked. It would be helpful to report the expected DNS entries for a domain up front, both the defaults that yunohost wants, and what can be inferred or for an app or declared by a maintainer.

It would be useful, I could work on, a format that expresses:

constraints yunohost core offers, or expects fulfilled by default.
constraints the app declares need of
constrains I wish my deployment to satisfy (and which I will actively ignore)
tests of constraints, and status as: satisfied, ignored / disabled, or unsatisfied (and how to rectify)

I argue that a declarative format which lists this essential information, can make management via the web interface, and equally the cli, easier, and can make the install as a whole more declarative, more amenable to automated deployment, or moving, between domains or hosts.

Let’s list expected DNS domain entries up-front, not just on first check.

A, AAAA, CAA, (MX / TXT - DKIM, SPF, DMARC), (XMPP)

The workflow of having to re-open DNS, or wait for domain setup to report missing expected entries, then me wait again for a full diagnosis just so I can ignore what I knew I was going to ignore, is inane, and makes me want to contribute to something better.

mcint · March 14, 2024, 9:58pm

Ok, as linked to from elsewhere,

github.com/YunoHost/issues

Option to add (sub)domain with Let's Encrypt certificate / Simplify the UI flow

opened 04:14PM - 21 Jun 20 UTC

ericgaspar

enhancement

Certificate

Web administration

ux

In the webadmin, when I want to add a new domain with a Let's Encrypt certificat…e, I have to: - add the domain - go to the settings of this domain - click on "SSL certificate" - leave the settings to check the diagnosis (because the button to generate a Let's Encrypt certificate is greyed out and a text asks you to do that) - come back to Domains -> `your domain` -> SSL certificate and install the certificate This is quite a confusing process in my opinion. One solution could be to have a checkbox right at the addition of a domain which would give you the option to install a Let's Encrypt certificate for your domain, rather than an auto-signed certificate. It would be easier for beginners and faster for everyone. If the creation of the certificate fails, YunoHost could display a message stating that the domain has been created, but that the Let's Encrypt certificate could not be installed, and directly propose a DNS config to correct the problem.

Also, support for wildcard DNS use, records on *.sub on domain.tld. Can be set up in advance for domains. at least A, AAAA, CAA, though in my experience, yunohost generates different DKIM keys for each domain it manages, so some mail records need to be unique. SPF and DMARC can be shared, all of which are stored on TXT records of sub-domains, or sub-sub-domains, of the domains they help attest and validate.

Using these wildcard records can, for now, let you avoid having to add new entries, though you’ll need to diagnose and ignore expected records.

mcint · March 14, 2024, 10:02pm

Delegating a sub-domain to yunohost to manage sub-sub-domains, is worth a fair bit of effort.

I’ve set up *.etc.domain.tld so I can install new apps with just a ynh domain setup and app install, and without touching my own DNS, moving or reinstalling the app later.