NZ Domain Name Registrar with CAA DNS records?

Forums › IT Pro and developers › NZ Domain Name Registrar with CAA DNS records?

sultanoswing

818 posts

Ultimate Geek
+1 received by user: 160

#250959 3-Jun-2019 01:37

I've just purchased a .nz domain name from 1st Domains, and found out they don't support CAA (Certificate Authorization Authority) DNS records.

They also don't have an API to allow cert-bot or acme.sh to automagically issue and renew Let's Encrypt wildcard certificates, which is another slight annoyance, as it necessitates manual dns / TXT challenge every 3 months.

So - are there any NZ registrars who support CAA records and Let's Encypt wildcard automation?

If not, I'm thinking I'll have to transfer my .nz domain name to my other US-based provider who does offer these tools.

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#2250174 3-Jun-2019 06:55

Had a look at Metaname? As they offer an API.

Benjip

977 posts

Ultimate Geek
+1 received by user: 524

ID Verified

#2250207 3-Jun-2019 10:00

Could you just use Cloudflare name servers instead?

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2250228 3-Jun-2019 10:20

Use Metaname - they're great. Then just use Cloudflare for your DNS records. Metaname will handle DNSSEC with Cloudflare and there is a Certbot plugin to use Letsencrypt: https://bjornjohansen.no/wildcard-certificate-letsencrypt-cloudflare

Another way you can then do this is use Cloudflare, set your server up to use the Origin certificates provided by Cloudflare and set your SSL settings in Cloudflare to Strict. This means Cloudflare will talk to your server via HTTPS and proxy everything and there is no need to worry about Letsencrypt. You can safely firewall off your server from this point to anything except Cloudflare (assuming you're using a modern debian based Linux):

#!/bin/sh

DIR="$(dirname $(readlink -f $0))"
cd $DIR
wget https://www.cloudflare.com/ips-v4 -O ips-v4.tmp
wget https://www.cloudflare.com/ips-v6 -O ips-v6.tmp
mv ips-v4.tmp ips-v4
mv ips-v6.tmp ips-v6

for cfip in `cat ips-v4`; do ufw allow from $cfip to any port https; done
for cfip in `cat ips-v6`; do ufw allow from $cfip to any port https; done

ufw reload > /dev/null

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#2250254 3-Jun-2019 11:27

But don't forget by using Cloudflare you're supporting the terrorists and revenge p.rn sites across the internet.

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

Their one paragraph AUP and long history of not caring what so ever about any of the harm they cause speaks volumes about their business.

Tracer

343 posts

Ultimate Geek
+1 received by user: 151

#2250382 3-Jun-2019 14:43

BarTender:

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

That's why you can be sure your site isn't going to just drop off the internet because some system sent an automated notice.

sultanoswing

818 posts

Ultimate Geek
+1 received by user: 160

#2250735 3-Jun-2019 22:06

*Grumble* it turns out current provider (dynu.com) can't transfer ".org.nz" TLD's, so I've gone the Cloudflare route.

As I type this, I'm just waiting for the transfer to Cloudflare's name servers to kick in. Cloudflare looks to have all the nice tools (API's, DNS records etc) I could ever want.

Thanks for the heads up!

Dyson

Shop now for Dyson appliances (affiliate link).

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#2250792 4-Jun-2019 08:23

Tracer:
BarTender:

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

That's why you can be sure your site isn't going to just drop off the internet because some system sent an automated notice.

Yet somehow every other DDoS provider doesn't have the problem of protecting vile sites including revenge porn or doxing folks. Somehow having an Acceptable Use Policy means they don't tolerate it.

And if you are ever the victim of an attack you can be sure you know which provider is protecting the content.

Just raising awareness that they are an utterly vile company with no morals to speak of. If you are happy with that then you share Cloudflares lack of morals.

sultanoswing

818 posts

Ultimate Geek
+1 received by user: 160

#2250900 4-Jun-2019 09:55

I don't wish to moderate my own thread to keep it OT....

As an update, as I wish to use my own Let's Encrypt certs, I had to disable Cloudflare's built in cert. My site then wouldn't load, but I think that's because it takes several minutes for the changes to propagate as after about ten minutes all was working again.

In my excitement to reissue Let's Encrypt certs. I then ended out exceeding the number of reissues, so now have to wait a week.

Good times, good learning.

Anyway, thanks again for the direction to Cloudflare. I'm quite happy to maintain the DNS registration with 1st Domains on this shared basis.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2250924 4-Jun-2019 10:37

@sultanoswing If this is just standard HTTPS then use Cloudflares cert and then load an Origin certificate on your webserver (which is generated from the Cloudflare UI). I find this great as Cloudflare then adds a layer of security on your app and you never have to worry about LetsEncrypt. Just ensure that your SSL setting is set to Strict:

On that same page create an Origin Certificate and load this on your webserver.

Then ensure that you've "Orange Clouded" your app to ensure it works via Cloudflare. There are other options on that page also but really, unless if you're using something that requires LetsEncrypt you now have the power to avoid LetsEncrypt and just use a Cloudflare cert.

If you do not select Full (strict) as your SSL option then Cloudflare will attempt to communicate via Port 80 (HTTP). It is something I keep forgetting then sites time out in the progress.

sultanoswing

818 posts

Ultimate Geek
+1 received by user: 160

#2250945 4-Jun-2019 10:54

Thanks mm - I also use this as a tinkering / learning project, so that's part of the desire to use Let's Encrypt. It's also fun checking out the Cloudflare tools.

I do also use Let's Encrypt to sign my intranet https pages (a UniFi controller & pfSense), as I hate the "Not Secure" red icon in my browsers' address bars :)

So, I do "need" my own properly signed certificates, and it's hard to beat the price of the LE certs.

sultanoswing

818 posts

Ultimate Geek
+1 received by user: 160

#2254945 9-Jun-2019 19:53

As a final update:

After the 5 day grace period, I transferred my domain name to metaname due to their DNSSEC integration with Cloudflare (which worked seamlessly once I'd figured out how/where to input the DS Record credentials into metaname's site.

Today, once my Let's Encrypt rate limit ban was over (that'll teach me to forget about the --test parameter!), I've now got everything up and running perfectly and securely with LE certs on my raspberry pi, with an attached HD as the NAS. Good times.