Setup DNS server (and resolver)

[link2xt]

Several options are:

• BIND
• NSD server and unbound resolver
• djbdns, packaged as tinydns in Debian

Hetzner FAQ has an entry: https://docs.hetzner.com/dns-console/dns/general/faq/#which-software-can-i-use-to-operate-my-own-dns-server

DNS server will allow to serve our own DNS records for SPF, MX, DKIM etc. instead of configuring them on the hoster.
Using a local nameserver is recommended by the Postfix documentation as postfix has to resolve email server hostnames, MX records, PTR records etc.

[link2xt]

Creating a zone "c2.testrun.org" on Hetzner did not work.
There is an FAQ entry saying subzones are not supported: https://docs.hetzner.com/dns-console/dns/general/faq/#domain-subdomaintld-can-not-be-created-unknown-tld

This is not what I need, actualy.
I created NS record for c2 in testrun.org zone on Hetzner, and point it to 135.181.204.127, the IP address of c2.testrun.org. I also removed all other entries for c2, namely A, AAAA (previously pointing to 2a01:4f9:c012:52f4::1) and MX.

[link2xt]

For reference:

• Delegating subdomain to a new zone Hetzner documentation.
• https://serverfault.com/questions/275982/what-type-of-dns-record-is-needed-to-make-a-subdomain
• https://support.dotdigital.com/en/articles/8199004-delegate-a-subdomain-to-our-servers

[link2xt]

So currently our DNS servers for testrun.org zone at Hetzner are robotns2.second-ns.de., robotns3.second-ns.com. and ns1.first-ns.de.. I currently have these records for c2 in testrun.org zone:

Here is the result if I query robotns2.second-ns.de:

# dig c2.testrun.org. @robotns2.second-ns.de any +nocmd +nostat +nocomments
;c2.testrun.org.                        IN      ANY
c2.testrun.org.         86400   IN      NS      nsc2.testrun.org.
nsc2.testrun.org.       86400   IN      AAAA    2a01:4f9:c012:52f4::1
nsc2.testrun.org.       86400   IN      A       135.181.204.127

Here is the result if I query nsc2.testrun.org directly (an NSD server running at c2.testrun.org):

$ dig c2.testrun.org @nsc2.testrun.org. +nocmd +nostat +nocomments
;c2.testrun.org.                        IN      A
c2.testrun.org.         60      IN      A       135.181.204.127
c2.testrun.org.         60      IN      NS      nsc2.testrun.org.
c2.testrun.org.         60      IN      NS      robotns2.second-ns.de.
c2.testrun.org.         60      IN      NS      robotns3.second-ns.com.
c2.testrun.org.         60      IN      NS      ns1.first-ns.de.

But somehow this does not propagate.

Zone transfer is working, I allowed any IPs:

$ dig @nsc2.testrun.org. AXFR c2.testrun.org.

; <<>> DiG 9.18.19 <<>> @nsc2.testrun.org. AXFR c2.testrun.org.
; (2 servers found)
;; global options: +cmd
c2.testrun.org.         60      IN      SOA     nsc2.testrun.org. dns.hetzner.org. 2020080307 7200 3600 1209600 3600
c2.testrun.org.         60      IN      NS      nsc2.testrun.org.
c2.testrun.org.         60      IN      NS      robotns2.second-ns.de.
c2.testrun.org.         60      IN      NS      robotns3.second-ns.com.
c2.testrun.org.         60      IN      NS      ns1.first-ns.de.
c2.testrun.org.         60      IN      A       135.181.204.127
c2.testrun.org.         60      IN      AAAA    2a01:4f9:c012:52f4::1
c2.testrun.org.         60      IN      MX      10 c2.testrun.org.
www.c2.testrun.org.     60      IN      A       135.181.204.127
c2.testrun.org.         60      IN      SOA     nsc2.testrun.org. dns.hetzner.org. 2020080307 7200 3600 1209600 3600
;; Query time: 73 msec
;; SERVER: 2a01:4f9:c012:52f4::1#53(nsc2.testrun.org.) (TCP)
;; WHEN: Wed Oct 18 23:49:04 UTC 2023
;; XFR size: 10 records (messages 1, bytes 324)

[hpk42]

as said, i think it's better to just print the zone file for now, and let people copy that to the web.
also as discussed in the community channel, there might be support for DNS APIs we could add (hetzner and others) -- mostly they are easy REST APIs and not a big deal to support and people can contribute them. So setting up a nameserver is not the only game in town and also requires more understanding -- you spent >10 hours figuring things out, for other people that might easily be 50 or never. DNS is inherently hard to debug.