support additional record types

[jluebbe]

It would be nice allow manual configuration of additional records for each host. Examples would be MX, multiple SRV records, TLSA (for DANE).

[ThomasWaldmann]

well, it would be possible to add such features, but I'ld rather not add features without having a good usecase.

so, could you please open separate issues and add a usecase / why it makes sense to have this for dynamic dns?

let's just talk about MX in this issue:

while it might be nice for privacy reasons to receive mail directly on your own home / company dynamic ip mailserver, one would also need to send emails somehow - but many mailservers would reject email from a dynamic ip mailserver (that often has no or no matching reverse dns either).

so, you would need an account at some external real mailservice anyway for sending (using it as smarthost) and all your outgoing mail would go via that mailservice - so why would you not just do incoming mail via that service also? what's the point then?

[jluebbe]

You're right, MX isn't that useful. On the other hand SRV records are very useful in the DynDNS case, as you often have to use port forwards to make services available from the outside.

Our hackerspace's instance of nsupdate.info is run with the goal of encouraging running your own services instead of relying on external ones. One of the first barriers for this is having a stable domain name, which nsupdate.info solves nicely.

When you want to run i.e. a SIP or Jabber server behind a NAT, you can use SRV-records on the host name to tell the client (and other servers) which port should be used for each service. You can also run multiple instances on the same IP by running each on a different port and having SRV records on multiple host names.

In the context of DNSSEC, further records become interesting. One of them is TLSA (which is used for DANE (DNS-based Authentication of Named Entities)). With DANE, you can use DNS as an additional or the only trust anchor for SSL/TLS. This allows you to reduce the dependency on the SSL CAs, where normally any (forged) cert by one of the thousands of CAs is regarded as valid as your own by the client.

Also especially useful for the DynDNS case are SSHFP records, which are already supported by OpenSSH. You use them to publish the server's host key via DNSSEC. Now the clients can use DNS to verify the host key of the server, without relying only on the user.

[ThomasWaldmann]

Interesting stuff, will have a look!

[cclements]

hi, we would very much like to be able to use SRV records specifically for LDAP authentication.

[ghost]

+1 To more record types. Would it be possible to be able to add tags where the user could specify custom types? By "custom types" I mean that you could just present a 3 or 4 text input form to the user for the record type, record, host and/or domain which would allow the user to specify TXT records or SRV records or whatever DNS record they want. I think if you went that way with a flexible input form like this: http://bootsnipp.com/snippets/featured/dynamic-form-fields-add-amp-remove Then nsupdate.info would be THE goto dns management tool for me and my shop and likely anyone that finds out about it.

[pejakm]

+1 Also, TXT records are mandatory for stuff like SPF, various web services, domain key support...

[silopolis]

+1

[luckymedog]

I've just setup an xmpp/jabber server, and I need (I believe) the SRV record type to be able to use with my dynamic dns.

[ThomasWaldmann]

Yes, some addtl. record types are definitely useful. Now it just needs someone who writes the python and html for it.

[helloray]

+1 for TXT records.

[strarsis]

@ThomasWaldmann: An API for managing records, notably TXT records, would make Let's Encrypt DNS Validation possible, like using acme.sh. Then the hostname can use TLS/SSL encryption, with DNS Aliasing (acme.sh supports that), it would be even possible to add a CNAME to an existing domain.

[ThomasWaldmann]

Yes.

Note that you can also do ACME via http, without needing addtl. dns records.

[strarsis]

@ThomasWaldmann: Correct, but especially for IPv4 internet connections, often non-standard ports are used for HTTP. Also automated cert renewal can't work out of the box when the NAT forwards to IP camera on HTTP/HTTPS port because the cert related scripts usually run on another system, e.g. a Raspberry Pi.

[zroug]

One thing that does not work with http validation but does work with dns validation is wildcard certificates. It's not very important to me but I just wanted to note that.

[misery]

I really like to see TXT support for acme usage. :-) Any progress Here?

[ThomasWaldmann]

No progress. But I see the use case for LE certs, so feel free to do a PR, if you like.

When implementing that, it would be nice to have it somehow "extensible" for other record type, so please not a TXT-only hack.

[ioogithub]

It has been 9 years since this original request was made. I am using nsupdate however I do not have a way to update my LE cert. I do not have access to port 80 or 443 so adding a TXT record is my only option. When users with similar constrains mention this in the LE forums the developers recommend changing to one of the many dynDNS service that supports adding TXT records.

I really like nsupdate,info but HTTPS is essential in 2022. Is there any chance this will ever happen?