One of the keys is being kept private and the other is public. When a secure communication is initiated we must ensure that we are talking to the right entity identified by public key. This part is handled by the PKI (public key infrastructure).

A trusted third-party attests that the presented public key by the server belongs to a certain entity. These trusted third-parties are called certificate authorities (CA). Currently there are many trusted CA and you can inspect them in your OS if you are curious.

In recent years Let's Encrypt, a nonprofit organization which offers certificates for free, gained more and more popularity.

Using Certbot created by EFF you can request a Let's Encrypt certificate.

Install certbot

We'll use a machine with Ubuntu 24.04 with snapd, for other operating systems please check certbot install instructions.

sudo apt update
sudo apt install snapd
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok

Install certbot-dns-luadns plugin

There are few providers which are shipped by default, unfortunately the LuaDNS plugin is not yet there so you must install the certbot-dns-luadns plugin.

sudo snap install certbot-dns-luadns

Get your API key

Create a new API key accessing API keys page. You can restrict it to your domain if you are sure that it will not be used with other domains.

Create the INI file

The INI file will be used to store your API authentication credentials (email and API key).

root@certbot:~# cat ~/.luadns.ini
dns_luadns_email = user@example.com
dns_luadns_token = 9ea8a5f5eba25560f09e9dea13379e64

Credentials are required by certbot to add a TXT record to your DNS zone to prove that you own the domain.

This file should be readable only by root user:

sudo chmod 0600 /root/.luadns.ini
sudo chown root.root /root/.luadns.ini 

Issuing the certificate

We'll issue a wildcard certificate for mycompany.com, we assume that this domain is correctly delegated and configured on LuaDNS.

The certbot will make some DNS modifications via API according to Let's Encrypt instructions which should be visible on the internet before the certificate is issued. Usually this is a _acme-challenge.mycompany.com TXT record containing a long text.

root@certbot:~# certbot certonly --dns-luadns --dns-luadns-credentials ~/.luadns.ini -d '*.mycompany.com'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.mycompany.com
Waiting 30 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mycompany.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/mycompany.com/privkey.pem
This certificate expires on 2024-12-19.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

You can pass also the --dry-run parameter to certbot command to simulate the certificate issue without issuing, this is useful to debug problems.

Common problems

When you get the following message:

Unable to determine zone identifier for mycompany.com using zone names: ['mycompany.com', 'com'].

This means that certbot could not get access to your zone with the API key you have provided.

Check that zone exists, the API key is valid and has access to this zone.

Refrences:

• https://certbot.eff.org/instructions
• https://certbot-dns-luadns.readthedocs.io/en/stable/

The Problem

Currently the browser sends a HTTP request to the server, the server redirects to HTTPS and then the browser reissues the request over HTTPS where it receives ALPN (Application-Layer Protocol Negotiation) during the HTTPS handshake.

Example

1. Browser issues the request and server responds with redirect:

     >> GET http://www.example.com/ HTTP/1.1
     >> [...]
   
     << 301 Moved Permanently
     << [...]
     << Location: https://www.example.com/
   

2. Browser follows the redirect and reissues the request after creating a new connection over HTTPS:

     >> GET https://www.example.com/ HTTP/1.1
     >> [...]
   
     << HTTP/2 200
     << [...]
   

This introduces a latency because of multiple round trips which impacts the Time to First Byte (TTFB).

The HTTPS Record

The RFC 9460 allows specification of connection details into DNS to reduce the steps required to establish the connection and to add failover details. It incorporates the Alt-Svc HTTP header and ALPN TLS extension directly into DNS.

Format:

https(name, target, svc_prio, svc_params, ttl)

A HTTPS record can be configured in two modes Alias Mode (SvcPrio = 0) or Service Mode (SvcPrio != 0).

Alias Mode

In alias mode, svc_prio is zero and svc_params list is empty.

The HTTPS record removes the limitation of CNAME with apex domains when used in alias mode. This was designed as a replacement for ALIAS/ANAME record type workaround.

It instructs the browsers to connect directly to the CDN service specified by target.

-- Create an alias for the apex domain because we can't add a CNAME on the root domain.
-- The CNAME should be alone but we have at least a SOA record and NS records already.
https("", "d8e8fca2dc0f896fd7cb4cb0031ba249.cloudfront.net")

Service Mode

In the service mode the svc_prio is greater than zero and a optional list of key=value (svc_params) are specified.

Examples:

1. Failover

   A configuration with two services for www name. We instruct browsers to try alternative services in a specific order (svc1, svc2) in the case of failures.

   -- Lower svc_prio numbers have higher priority
   https("www", "svc1.example.net", 10)
   https("www", "svc2.example.net", 20)
   

2. Load Balancing

   A load balancing configuration with two services (svc1 and svc2) for www, we use the same svc_prio value to distribute the load.

   https("www", "svc1.example.net", 10)
   https("www", "svc2.example.net", 10)
   

3. Encrypted ClientHello (ECH)

   Distribute public key, it's recommended to enable DNSSEC for better security.

   https("app", "svc3.example.net", 1, {alpn="http/1.1,h2", ech="base64_public_key"})
   

Support

Currently all major browsers support HTTPS record.

• Chrome 117+
• Firefox 118+
• Safari (since September, 2020)

We moved now to a more general solution based on SSH keys authentication, this allows you to use other hosts or self-hosted (Gitea/Gogs, etc) repositories.

If you are using git integration already, please migrate to SSH key authentication. You'll find your public key in the settings your public key which you can use to grant access to your git repository.

Two-Factor Authentication (2FA)

It's been more than a year since we introduced two-factor authentication, although this feature is optional we recommend to enable it on your account for an extra layer of security.

Anycast Network Updates

To improve response time and a better name servers distribution we launched 3 new POPs:

• Seattle, USA
• Singapore
• Sydney, Australia

Currently we run 22 POPs located in USA, Europe, Africa, Asia & Australia.

We are still testing new locations and we plan to introduce soon new POPs in India, Brazil and South Africa.

Why Anycast DNS?

In Anycast a collection of servers share the same IP address and users are routed via BGP (Border gateway protocol) the closest data center. This leads to better response time and resilience against failures because the same set of name servers are distributed over multiple data centers.

Currently we are operating Anycast network via our custom AS number and our own prefixes:

• ASN: 41954
• IPv4: 185.142.218.0/24
• IPv6: 2001:67c:25a0::/48
• 22 POPs: USA, Europe, Africa, Asia & Australia

As you can see from the graph, the response time improved after migration to Anycast DNS.

Migration

Current set of Unicast DNS servers will be ceased on February 1, 2018. If you use LuaDNS name servers (ns1-4.luadns.net) you are using the new Anycast servers already you don't have to do anything.

Users using LuaDNS servers via custom domain (vanity name servers) will have to update the IP addresses of name servers to point them the new IP address (zone & registrar):

• ns1.luadns.net (185.142.218.1, 2001:67c:25a0::1)
• ns2.luadns.net (185.142.218.2, 2001:67c:25a0::2)
• ns3.luadns.net (185.142.218.3, 2001:67c:25a0::3)
• ns4.luadns.net (185.142.218.4, 2001:67c:25a0::4)

The IP address for AXFR transfers is axfr.luadns.net (108.61.179.251).

What is CAA?

CAA (Certificate Authority Authorization) is a new DNS record (along with the classical A, AAAA, CNAME, TXT, MX, SPF etc) defined in RFC 6844 since January 2013.

Why We Need CAA?

A Certificate Authority (CA) is a entity that issues digital certificates for domains. It acts as a trusted third-party between owner of the certificate and the party relying on the certificate.

Two years ago, Google security engineers, discovered that a Chinese certificate authority issued unauthorized certificates for several Google domains and could have issued digital certificates for virtually any domain. This serious security issue can be avoided by using CAA records.

Why Now?

All certificate authorities & browsers will have to implement CAA checking starting September 2017, after a vote during CA/Browser forum, held in March 2017.

CAA records are not mandatory for users, but CAA records are encouraged for increased security of internet domains. Not using CAA records means that any certificate authority can issue a certificate for your domain and there are many, just check your trusted certificates from your OS and/or browser.

Usage

To whitelist the certificate authorities which can emit digital certificates for your domain use caa function.

Syntax:

-- @name    = relative name
-- @value   = value
-- @tag     = tag (issue, issuewild, iodef, default: issue)
-- @flag    = flag (default: 0)
-- @ttl     = TTL (default: user default TTL)
caa(name, value, tag, flag, ttl)

For example, if you use letsencrypt.org for issuing a certificate for your domain, the syntax for your CAA record would be:

-- example.com.lua
caa("", "letsencrypt.org", "issue")

This means only letsencrypt.org can issue certificates for your domain. If you use multiple certificate authorities then you'll need to add a CAA record for each authority. To include subdomains set tag to issuewild instead of issue, it covers only first level of subdomains.

The iodef tag allows you to define an URL where you can be notified when a certificate authority receives a certificate request for a domain, but the CAA record denies it.

-- example.com.lua
caa("", "letsencrypt.org", "issue")
caa("", "mailto:me@example.com", "iodef")

Problem

Sometimes you need to redirect a domain/subdomain to another URL, to achieve this you need a web server which will do the redirects and then you need to point the domains to this server from the DNS.

Solution

Now you can use LuaDNS to achieve this in a single step without the overhead of maintaining an external web server. We've implemented a redirection service integrated with your LuaDNS account. To add a HTTP redirect for a domain/subdomain all you need is to add a simple REDIRECT record to your configuration.

How it works

When you add a REDIRECT record the LuaDNS will configure the redirection service and will point the redirected domains/subdomains to it. There are three modes of redirection:

• Relative redirect - the server issues a 301 redirect, the request path and query string are appended to destination URL
• Exact redirect - the path and query string is discarded and visitors are redirected to destination URL with 301 status code
• Frame masking - the destination is loaded in a HTML frame

Syntax:

-- @name   = relative name or '*'
-- @target = target url
-- @mode   = redirect mode (0=relative, 1=exact, 2=frame, default: 0)
-- @ttl    = cache TTL (default: user default TTL)
redirect(name, target, mode, ttl)

Example:

-- File: example.com.lua
-- _a variable is set by the system to zone name
-- _a = "example.com"

-- # Relative redirect
-- redirect apex/naked domain to www
-- Example: example.com/foo?q=param -> www.example.com/foo?q=param
redirect(_a, "http://www." .. _a .. "/")

-- # Exact redirect
-- redirect http://mail.example.com/* to http://mail.provider.com/
-- Example: http://mail.example.com/foo?q=param -> http://mail.provider.com/
redirect("webmail", "http://mail.provider.com/", 1)

-- # Frame redirect
-- redirect http://mail.example.com/ to http://www.provider.com/ using a HTML frame
redirect("mail", "http://mail.provider.com/")

Other Changes

• Improved web interface

The problem

Many PaaS/service providers (Ex: Heroku, AppFog, dotCloud, GitHub Pages, etc) are requiring a CNAME record to work properly with custom domains. The DNS standards impose a restriction regarding CNAME records, when using a CNAME no other data should exists for that name. A CNAME at root is not a valid configuration because a minimum zone definition includes at least one SOA record and one NS record.

Solution

To avoid this CNAME restriction with root domains the ALIAS pseudo record should be used.

How it Works

The build system flattens the CNAME record resolving the CNAME and returning directly the IP4 & IPv6 addresses instead of CNAME.

Alias Syntax:

alias(name, target, ttl)

When you are creating an ALIAS record, the target is automatically resolved and A & AAAA are injected for the name. The target is polled periodically and A && AAAA records are updated when changes occurs. Polling frequency is using the ttl parameter.

The DNS provider for target may use multiple IP addresses in a Round Robin DNS configuration. While resolving target multiple DNS queries are issued in order to capture multiple unique IP addresses (up to 4 x IPv4 and 4 x IPv6).

Usage

Example usage of ALIAS record:

-- templates/heroku.lua
function heroku_app(root, app)
  -- Use alias for root domain
  -- Syntax: alias(name, target, ttl)
  alias(root, app, 300)

  -- Use a CNAME for www
  -- Syntax: cname(name, target, ttl)
  cname(concat("www", root), app)
end

-- example.com.lua
heroku_app(_a, "myapp.herokuapp.com")

Yes, we are alive! :)

I think we need offer you some explanations, in 2012 I've became a father and this is the greatest experience of my life. While everything was running smoothly it kept me busy for a while.

We have great news, we deployed a new release with the following changes:

Platform

The new platform is based on Go and AngularJS which allows us to process your configuration files and deploy them to name servers much faster using a tiny fraction of the previous resources:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND      
10805 lua-srv   20   0  606m  18m  360 S  0.0  3.7  10:31.18 server       
10834 lua-sbx   20   0  339m  11m    4 S  0.0  2.4   0:03.55 sandbox      
10433 lua-wrk   20   0  396m  10m  468 S  0.0  2.1   0:00.10 worker       

Web Interface

We are introducing an experimental web interface which allows you to edit records directly from browser. Although we still believe that git is the proper way of manage configuration files, some people find git requirement as a big barrier. The git workflow is now optional now.

Templates Directory

Previously the templates were stored in one file (templates.lua) which is inconvenient if you have multiple templates. With this release templates can be group and stored in separate .lua files in templates directory located in root of your git repository (Thank you Graham!).

Removed Features

Due to low usage Amazon Route 53 integration was removed, high availability still can be achieved adding more slaves.

To use our service together with Route 53, you need to grant permission to LuaDNS on your Route 53 account and to add your AWS credentials (Access Key and Secret Access Key) to your LuaDNS account.

After account setup, specify which domains should be exported to Route 53, add a file named domains.route53 to root of your git repository with one domain per line or * to export all domains.

To migrate your Bind zone files to Amazon Route 53 platform, add configuration files to your git repository using .bind extension and push modifications with git. LuaDNS will parse your configuration files and emit corresponding API calls to AWS Route 53. We'll automatically maintain SOA record and update domain's NS records with name servers returned by Route 53.

• Easy to try
• No API calls
• No need to convert
• No lock-in
• Free magic :)

UPDATE: Due low usage, the integration with Route 53 was removed.

References:

• How to Launch a 65Gbps DDoS, and How to Stop One (cloudflare.com)
• Fog Creek products DNS issue post-mortem (fogcreek.com)
• DNS Outage Report (appfog.com)
• Zerigo DNS services down for 6+ hours due to massive DDoS (ycombinator.com)

How does it work?

Bind zone files can be easily deployed to our name servers with Git in the same way as Lua zone files.

Users have the option to store their configurations in standard Bind format or to use more powerful Lua format. Bind zone files can be mixed with Lua zone files in the same Git repository (Lua files have higher priority).

To get started, follow previous post to setup your Git repository. Add your Bind files to repository using .bind extension (Example: mydomain.com.bind) and push your modifications with git push origin master.

After git push command, shortly you'll receive an email with the status of the deployment.

Check the documentation page for updates and example repository.

Supported directives

• $TTL
• $ORIGIN

Supported records

• A
• AAAA
• CNAME
• MX
• NS
• PTR
• SOA
• SPF
• SRV
• TXT

Example Bind zone:

; File: example.org.bind
; Zone: example.org

; Default origin is computed from the file name,
; you may change the origin with $ORIGIN directive
; Example:
; $ORIGIN example.org.

; Default TTL is account's [default TTL](https://app.luadns.com/settings),
; you may change the default TTL with $TTL directive
; Example:
; $TTL 3600             ; 1 hour

; The system will generate and maintain domain's SOA record automatically,
; SOA records found in *.bind files are simply ignored
example.org.        IN  SOA   ns1.bind.net.   hostmaster.bind.net.  (
                              2012050901  ; serial
                              20m         ; refresh (20 minutes)
                              2m          ; retry (2 minutes)
                              1w          ; expire (1 week)
                              1h          ; minimum (1 hour)
                              )

; Domain NS records are replaced with system name servers
                        NS      ns1.bind.net.
                        NS      ns2.bind.net.
                        NS      ns3.bind.net.
                        NS      ns4.bind.net.

; The rest of records
@                       A       1.1.1.1
@                       MX      5 aspmx.l.google.com.

www                     CNAME   example.org.
mail                    CNAME   ghs.google.com.

; SPF record, see http://www.openspf.org/
@                       TXT     "v=spf1 a mx include:_spf.google.com ~all"

; SIP service available at the host sip.example.com
_sip._udp               SRV     0 0 5060 sip.example.com.

What's wrong with traditional aproach?

In our opinion, DNS configurations are best expressed with simple text files. The problem is that Bind syntax is too noisy and managing tens or hundreds of domains through a web interface is not a pleasant task.

LuaDNS platform

LuaDNS borrowed convention over configuration philosophy from Rails. To accompish it's task LuaDNS is following a few conventions, once you'll understand them you'll love them. :)

It exploits defaults to the maximum to make configurations simple and clear. Why same thing should be expressed over and over? If we are comfortable with defaults, why we should pollute our configurations? Domain aliases should be expressed easily.

• Why source control ?
  When working in teams, ability to track changes (who, when, what) and changes reverting are very important.
• Why scripting ?
  Repetitive tasks can be scripted into functions to fight complexity. Lua is a mature scripting language, designed decade ago and used in many large projects.

LuaDNS supports most common Resource Records (RR):

A, AAAA, CNAME, MX, NS, PTR, SOA, SPF, SRV, TXT

Initial configuration

To use LuaDNS platform you'll need a LuaDNS account and a GitHub repository. Follow this easy steps:

1. Create a new git repository on GitHub:
   • Project Name: dns
2. Create a local repository and connect it to freshly created GitHub repository (replace USER with your GitHub username):

   mkdir dns
   cd dns
   git init
   echo 'DNS settings, more on: https://www.luadns.com/' > README.md
   git add README.md
   git commit -m 'first commit'
   git remote add origin git@github.com:USER/dns.git
   git push -u origin master
   

3. Edit your LuaDNS account and set your source repository (replace USER with your GitHub username).

   git@github.com:USER/dns.git
   

4. Configure your GitHub repository to notify LuaDNS when you push changes to it, add a Post-Receive Hook
   (Admin -> Service Hooks -> Post-Receive URL):
   https://api.luadns.com/notifications/YOUR_API_KEY/push
   (You'll find your API_KEY in the API Keys page)

After initial configuration, you are ready to proceed to next step, zone configuration.

Example domain

We'll show you an example using domain example.com, but you should replace example.com with your domain name.

Change to your git repository created in previous section and add an "example.com" zone to repository to it:

touch example.com.lua templates.lua
git add example.com.lua templates.lua

Edit example.com.lua and paste the following content:

-- File: example.com.lua
-- Zone: example.com
-- _a variable is replaced with zone name "example.com"

-- ## GitHub pages example
-- More info in "Custom Domains" section here: https://help.github.com/pages/
a(_a, "204.232.175.78")
cname("www", "charlie.github.com")

-- ## Google Apps example
-- We'll host our mail on Google Apps, because we have multiple domains using
-- Google Apps, we'll save snippet as a template (Lua function).
-- All templates should go to templates.lua file.
google_app(_a)

Save the following Lua code to templates.lua:

-- File: templates.lua
-- This file is executed before each .lua file
-- shared code/templates should reside here.

function google_app(domain)
  -- mail exchangers
  mx(domain, "aspmx.l.google.com", 5)
  mx(domain, "alt1.aspmx.l.google.com", 10)
  mx(domain, "alt2.aspmx.l.google.com", 10)
  mx(domain, "aspmx2.googlemail.com", 20)
  mx(domain, "aspmx3.googlemail.com", 20)
  -- mail.domain.com alias
  cname(concat("mail", domain), "ghs.google.com")
  -- SPF record
  spf(domain, "v=spf1 a mx include:_spf.google.com ~all")
end

Deploying

Now you are ready to to push your DNS configurations to LuaDNS servers through GitHub.

git commit -m "add example.com domain" .
git push origin master

After git push command, you'll receive an email from LuaDNS.com with the status of your changes. If everything is OK (domains and records are validated on each push), your domains and records will be deployed to name servers, if errors are found you'll receive details about the problems so you can fix them and try again.

Changing name servers at your registrar

After successful deployment, you are ready to switch to LuaDNS name servers (more about name servers here):

• ns1.luadns.net
• ns2.luadns.net
• ns3.luadns.net
• ns4.luadns.net

Open Source

LuaDNS service was built using many open source technologies. To support open source movement we are offering a special package to open source projects, more info here.

Update:

1. "Too noisy" when dealing with multiple domains sharing the same records/similar set of records (a common case).

References:

1. Documentation - https://www.luadns.com/help.html
2. Example repository - https://github.com/luadns/dns
3. GitHub - https://github.com
4. Bitbucket - https://bitbucket.org

A new slave function was added to our API which allows simple addition of slave name servers to each zone.

Syntax:

-- @name  = slave name (domain name or fqdn)
-- @ip    = slave ip address (IPv4 address used to configure ACLs and for NOTIFY messages)
-- @ttl   = TTL (seconds)
slave(name, ip, ttl)

Usage:

• For slaves residing in your your zone use: slave("ns1", "1.1.1.1"), A and NS records will be created automatically.
• For slaves from third-party services use: slave("ns1.third-party-ns.com", "2.2.2.1"), NS records will be created automatically.

To add multiple slaves invoke slave function multiple times.

Example:

-- File: example.com.lua
-- Zone: example.com

-- [...]

-- Add two slave servers (ns1.example.com, ns2.example.com)
-- required A and NS records are created automatically
slave("ns1", "1.1.1.1")
slave("ns2", "1.1.1.2")

-- Add two external slave servers
-- required NS records are created automatically
slave("ns1.third-party-ns.com", "2.2.2.1")
slave("ns1.third-party-ns.com", "2.2.2.2")

-- Please, configure your ACLs on slave servers
-- to use axfr.luadns.net or IP 108.61.179.251.

• AAAA
• PTR
• SPF
• SRV

Example usage:

-- file: example.com.lua

-- AAAA records
aaaa("ns1", "2001:4860:4860::8888")
aaaa("ns2", "2001:4860:4860::8844")

-- SPF records
spf(_a, "v=spf1 a mx ~all")

-- SRV records
srv("_sip._tcp", "sipserver.example.com", 5060)

-- file: 1.168.192.in-addr.arpa.lua
ptr("1", "server.example.com")

Check the manual to see the full list of supported record types and its syntax.

After months of coding fun, tens of coffee cups, we have finally launched LuaDNS! Managing DNS zones it's not boring anymore.

LuaDNS is a managed DNS service which is built differently than traditional services. When dealing with many domains and records it's very hard to read/edit Bind syntax files or to manage them through a web interface. With the power of Git and the Lua language managing tens and hundreds of domains it's easy and fun.

We are offering a free plan with 3 domains, just sign up for a free account and push your DNS zones with Git.

Name servers:

• ns1.luadns.net (Germany)
• ns2.luadns.net (Netherlands)
• ns3.luadns.net (CA, USA)
• ns4.luadns.net (NY, USA)

more about servers