0

Let's assume I have:

  • Registered myapp.tld domain with ns.some.tld nameserver set
  • DigitalOcean droplets:
    • foo.myapp.tld
    • bar.myapp.tld
  • Cloudflare zone for:
    • myapp.tld
    • es.myapp.tld
    • de.myapp.tld
    • other language-specific subdomains

I need DigitalOcean to be primary nameserver and delegate part of the zone (with root domain, which is most questionable here) to Cloudflare.

How should I set nameservers and DNS records to achieve that? Will something like this work:

  • nameserver set to ns1.digitalocean.com. (in registrar's config)
  • NS records in DigitalOcean: 
    NS myapp.tld ivy.ns.cloudflare.com.
NS *.myapp.tld ivy.ns.cloudflare.com.
NS foo.myapp.tld ns1.digitalocean.com.
    in which order would it be resolved? foo subdomain before wildcard?
  • A records in CF and DO for handling supported hostnames

Thanks in advance. I'm newbie in terms of DNS and I need to migrate one application with structure similar to this above.

Wirone
  • 103
  • 4

1 Answers1

0

Overall, I suspect that there is some misunderstanding that leads to this question.
Is there any reason why you would want to split things between two DNS services like this at all?

DNS is a tree, where a zone is defined by the parent zone delegating some name within that zone to some set of nameservers, where the new zone starts.
You cannot delegate the apex of your zone from within your own zone. If you want your zone to be delegated elsewhere, you wouldn't have the zone in this other place in the first place, rather change the delegation in the parent zone according to where the zone should actually be.

Ie, if you have the zone myapp.example you can delegate foo.myapp.example (which means that foo.myapp.example and everything below it is a new zone) from within your zone, but not myapp.example itself (this would have to be done from the parent zone).

From your description, my impression is that what you actually want is to delegate myapp.example to Cloudflare, and from there delegate foo.myapp.example to DigitalOcean. This would be technically possible and does make sense if the delegation to DigitalOcean actually serves a purpose.

However, I would question even this setup, simply because it's unclear that the delegation to DigitalOcean serves any purpose.
You probably just need to delegate myapp.example to Cloudflare and be done with it. You don't generally need delegations in DNS just because you are using different hosting providers for different hosts, etc.
You can simply add for example address records (A/AAAA) on the Cloudflare side referring to the addresses of your DigitalOcean hosts to have for example foo.myapp.example resolve to the DigitalOcean host.

One provider-specific further complication with the original plan is that Cloudflare only allows you to set up registrable domains in their system (by policy, this is not an inherent technical limitation). So you can set up the domain myapp.example in Cloudflare but not the domain test.myapp.example, as the latter is not registrable in itself.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • 1
    In the meantime I found that it's impossible to delegate root domain with NS record so this answer somehow resolves my question. The reason why I wanted to do such weird config is "simple": people working on this project before me did some things in a way that make my work harder. I have access to registrar and DO where some components are running, I don't have access to CF used as nameserver, so I can't do anything related to DNS like adding new subdomain for new component and so on. I had to migrate one component to DO & couldn't generate Let's Encrypt cert because I couldn't add TXT record. – Wirone Oct 05 '20 at 07:59
  • @Wirone Ok, I don't know what the particular circumstances are, but if the certs are for eg "foo", then delegating foo would be an option. Otherwise, it sounds like you ought to get an API Token with access to the relevant zones in Cloudflare if you are going to use Letsencrypt. – Håkan Lindqvist Oct 05 '20 at 08:38
  • I have generated certificates with help from person with access to CF but this was the root cause of my question - I would like to be able to manage DNS for "my" part of the system (2 components, maybe more in the future) and let that person to manage the other part. But now I know it's not possible so we will think how to resolve CF access problem (probably with new CF account shared between multiple users). Thanks for your help. – Wirone Oct 08 '20 at 09:14