Free & automatic certificate from Let's Encrypt

grynge

Verified User
Joined
Sep 9, 2014
Messages
10
I can't seem to add SSL certificates for subdomains ns1 and ns2 (nameserver subdomains)

I was wondering if there is a way to add subdomains to the "Let's Encrypt Certificate Entries"
in Directadmin it has ftp, smtp, www etc.. but I would like to add ns1. and ns2 to it.

But then they have different ip's to the existing domain/subdomains

I tried looking online but couldn't see how to add any new subdomains to it or even if I should add them to it.
Any help would be very appreciated.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,592
Location
Maastricht
ns1 and ns2 are not used as subdomains but as nameserver hostnames, that could be the reason they are not displayed in DA itself.

Edit: Forget the rest I wrote before. There is probably a reason for this. I wouldn't know why you should use ssl for nameservers.
Unless they are real server hostnames, in that case you could use this:
https://help.directadmin.com/item.php?id=629
 
Last edited:

grynge

Verified User
Joined
Sep 9, 2014
Messages
10
Thanks Richard for your help and quick response, much appreciated.

I figured everything needed SSL certificates. Looking into it, I guess encrypting the IP to the requester isn't really necessary.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,592
Location
Maastricht
You're welcome.
If you're an admin, the server hostname could do with a certificate.
For the rest, only domain name and things like ftp, smtp, www, etc. but you can use the wildcard for that.

The nameservers only translate ip's to domain names (v.v.) but do not really set up a connection, that does the webserver or mailserver or ftp etc. etc. so they could need ssl to create a secure connection.
 

ju5t

Verified User
Joined
Sep 14, 2005
Messages
389
Location
Amsterdam
That's not true. DNS sets up a connection too and it is not unreasonable to protect this with SSL. DNS is one of the weakest protocols of the internet.

DNS over HTTPS is an experimental feature in some browsers. However, it's not yet aimed at the 'local' DNS server you and we are hosting through DirectAdmin and sorts. It's focussing on resolvers, the servers most likely offered by your provider to you as its public DNS servers.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,592
Location
Maastricht
I didn't say it did not set up a connection, I said it did not really set up a connection (so like the mentioned servers do).

How is DNS setting up a real connection then? It only points to domain names where the connection is made by the daemons running there as far as i know.
The connection (imho) is that the user connects to the nameserver to ask for a translation, which the resolver dns provides. It's kind like a connection, but not like with mail or ftp imho.

I heard about DNS over HTTPS for increased security, but that's to protect the DNS so hackers can't look which domain is looked up and reroute traffice (man in middle attack). Which is indeed not unreasonable but still not widely available and still experimental, so it does not count at this moment.

DNS still does not make any connection itself. However it's part of the route the user takes and it's indeed one of the weakest protocols which would need improvement.

So it's true what I said at this moment. In the future it will hopefully be better. Correct?
 

Remitur

Verified User
Joined
May 11, 2018
Messages
49
AFAIK: DNS service by mean of SSL is simply impossible.
The "secure" DNS service is DNSSEC (which is far more than SSL)
 

Remitur

Verified User
Joined
May 11, 2018
Messages
49
@Richard G DNS over HTTPS is for resolvers (recursive DNS).
But the DNS servers you manage by mean of DA are authoritative, not resolvers (even if they could be configured in order to be also recursive, but it's useless and a mess ...)
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,592
Location
Maastricht
Yep I understood that already. See my last line I wrote. But recursive is also DNS.

I'm also using dnssec. I only pointed out that this was probably what TS probably meant. Not on what DA is using.
 
Top