Comment on Second set of eyes - DNS Nameservers
dihutenosa@piefed.social 2 months ago
I just self-host my own DNS server. Works like a charm. Setting up DNSSEC was a tad fiddly tho.
Long story short:
1. Set up Knot, teach it to serve your zone
2. Test via resolving names in your server (dig can use a specific server)
3. Disable DNSSEC
4. Tell your registrar to "use my own DNS server"
5. Generate the DNSSEC keys, upload only the pubkey to registrar, reenable
possiblylinux127@lemmy.zip 2 months ago
Doesn’t that break DNS64?
dihutenosa@piefed.social 2 months ago
I'm fortunate to get native IPv6, so I'm not very familiar, tho I think I have basic understanding.
Did you mean you need to pick just one of {authoritative DNS server, DNS64} to listen on port 53? No, because the authoritative DNS only needs to be accessible from the outside. Run it on another machine or nonstandard port, then expose via port forwarding. Machines in LAN don't need direct access to the authoritative DNS server, they can just as well resolve via the regular system.
possiblylinux127@lemmy.zip 2 months ago
DNS translates IPv4 addresses to IPv6 NAT64 addresses for networks that are IPv6 only
I believe that DNSSEC breaks it since the IP addresses will be different.
dihutenosa@piefed.social 2 months ago
Oh, now I see.
I guess then the DNS64 server needs to do the dnssec verification on behalf of the user, then drop the RRSIG records for the v4->v6 translated names.
Oh, and now I realize I confused the direction. DNS64 makes v4 into v6.