Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersNZ Domain Name Registrar with CAA DNS records?
sultanoswing

814 posts

Ultimate Geek


#250959 3-Jun-2019 01:37
Send private message

I've just purchased a .nz domain name from 1st Domains, and found out they don't support CAA (Certificate Authorization Authority) DNS records.

 

They also don't have an API to allow cert-bot or acme.sh to automagically issue and renew Let's Encrypt wildcard certificates, which is another slight annoyance, as it necessitates manual dns / TXT challenge every 3 months.

 

So - are there any NZ registrars who support CAA records and Let's Encypt wildcard automation?

 

If not, I'm thinking I'll have to transfer my .nz domain name to my other US-based provider who does offer these tools.

 

 

 

 

Create new topic
BarTender
3606 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2250174 3-Jun-2019 06:55
Send private message

Had a look at Metaname? As they offer an API.



Benjip
943 posts

Ultimate Geek

ID Verified

  #2250207 3-Jun-2019 10:00
Send private message

Could you just use Cloudflare name servers instead?

michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2250228 3-Jun-2019 10:20
Send private message

Use Metaname - they're great. Then just use Cloudflare for your DNS records. Metaname will handle DNSSEC with Cloudflare and there is a Certbot plugin to use Letsencrypt: https://bjornjohansen.no/wildcard-certificate-letsencrypt-cloudflare

 

Another way you can then do this is use Cloudflare, set your server up to use the Origin certificates provided by Cloudflare and set your SSL settings in Cloudflare to Strict. This means Cloudflare will talk to your server via HTTPS and proxy everything and there is no need to worry about Letsencrypt. You can safely firewall off your server from this point to anything except Cloudflare (assuming you're using a modern debian based Linux):

 

#!/bin/sh

 

DIR="$(dirname $(readlink -f $0))"
cd $DIR
wget https://www.cloudflare.com/ips-v4 -O ips-v4.tmp
wget https://www.cloudflare.com/ips-v6 -O ips-v6.tmp
mv ips-v4.tmp ips-v4
mv ips-v6.tmp ips-v6

 

for cfip in `cat ips-v4`; do ufw allow from $cfip to any port https; done
for cfip in `cat ips-v6`; do ufw allow from $cfip to any port https; done

 

ufw reload > /dev/null




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



BarTender
3606 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2250254 3-Jun-2019 11:27
Send private message

But don't forget by using Cloudflare you're supporting the terrorists and revenge p.rn sites across the internet.

 

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

 

Their one paragraph AUP and long history of not caring what so ever about any of the harm they cause speaks volumes about their business.

Tracer
343 posts

Ultimate Geek


  #2250382 3-Jun-2019 14:43
Send private message

BarTender:

 

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

 

That's why you can be sure your site isn't going to just drop off the internet because some system sent an automated notice.

sultanoswing

814 posts

Ultimate Geek


  #2250735 3-Jun-2019 22:06
Send private message

*Grumble* it turns out current provider (dynu.com) can't transfer ".org.nz" TLD's, so I've gone the Cloudflare route.

 

As I type this, I'm just waiting for the transfer to Cloudflare's name servers to kick in. Cloudflare looks to have all the nice tools (API's, DNS records etc) I could ever want.

 

Thanks for the heads up!

BarTender
3606 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2250792 4-Jun-2019 08:23
Send private message

Tracer:
BarTender:

 

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

 

That's why you can be sure your site isn't going to just drop off the internet because some system sent an automated notice.

 

Yet somehow every other DDoS provider doesn't have the problem of protecting vile sites including revenge porn or doxing folks. Somehow having an Acceptable Use Policy means they don't tolerate it.

 

And if you are ever the victim of an attack you can be sure you know which provider is protecting the content.

 

Just raising awareness that they are an utterly vile company with no morals to speak of. If you are happy with that then you share Cloudflares lack of morals.

 
 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
sultanoswing

814 posts

Ultimate Geek


  #2250900 4-Jun-2019 09:55
Send private message

I don't wish to moderate my own thread to keep it OT....

As an update, as I wish to use my own Let's Encrypt certs, I had to disable Cloudflare's built in cert. My site then wouldn't load, but I think that's because it takes several minutes for the changes to propagate as after about ten minutes all was working again.

In my excitement to reissue Let's Encrypt certs. I then ended out exceeding the number of reissues, so now have to wait a week.

Good times, good learning.

Anyway, thanks again for the direction to Cloudflare. I'm quite happy to maintain the DNS registration with 1st Domains on this shared basis.

michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2250924 4-Jun-2019 10:37
Send private message

@sultanoswing If this is just standard HTTPS then use Cloudflares cert and then load an Origin certificate on your webserver (which is generated from the Cloudflare UI). I find this great as Cloudflare then adds a layer of security on your app and you never have to worry about LetsEncrypt. Just ensure that your SSL setting is set to Strict:

 

Click to see full size

 

On that same page create an Origin Certificate and load this on your webserver.

 

Then ensure that you've "Orange Clouded" your app to ensure it works via Cloudflare. There are other options on that page also but really, unless if you're using something that requires LetsEncrypt you now have the power to avoid LetsEncrypt and just use a Cloudflare cert.

 

If you do not select Full (strict) as your SSL option then Cloudflare will attempt to communicate via Port 80 (HTTP). It is something I keep forgetting then sites time out in the progress.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

sultanoswing

814 posts

Ultimate Geek


  #2250945 4-Jun-2019 10:54
Send private message

Thanks mm - I also use this as a tinkering / learning project, so that's part of the desire to use Let's Encrypt. It's also fun checking out the Cloudflare tools.

 

I do also use Let's Encrypt to sign my intranet https pages (a UniFi controller & pfSense), as I hate the "Not Secure" red icon in my browsers' address bars :)

 

So, I do "need" my own properly signed certificates, and it's hard to beat the price of the LE certs.

 

 

 

 

sultanoswing

814 posts

Ultimate Geek


  #2254945 9-Jun-2019 19:53
Send private message

As a final update:

 

After the 5 day grace period, I transferred my domain name to metaname due to their DNSSEC integration with Cloudflare (which worked seamlessly once I'd figured out how/where to input the DS Record credentials into metaname's site.

 

Today, once my Let's Encrypt rate limit ban was over (that'll teach me to forget about the --test parameter!), I've now got everything up and running perfectly and securely with LE certs on my raspberry pi, with an attached HD as the NAS. Good times.

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright