If you allow MiaB to be your domain’s authoritative server (NSD only does authoritative) then v67 does a brilliant job setting up all the necessary DNS entries (except for _smtp._tls ) for all the domains you’re serving. You can even declare a secondary DNS server which can be hosted anywhere or you (as the documentation puts it) ignore MiaB’s DNS completely and use a completely external DNS solution.
I’m new to MiaB but I’ve run most of its underlying services for many years and paid my dues with regards to setting up self-hosted authoritative DNS in a safe and performant manner.
I accept that it would be completely out of scope for MiaB to get involved in setting up external DNS servers. Yet it strikes me that a relatively minor change would allow the best of both worlds.
Let me explain.
At the moment, when you use external DNS, you’re presented with zone records (on the page as well as in zone file formal). If you declare one or more secondary DNS servers, those are included in the zone files and the nds configuration is updated to do the zone transfers provided uou have the secondaries set up to accept transfers. The assumption in both cases is that box.yourdomain.tld hosts the authoritative DNS records as ns1.box.yourdomain.tld.
The arrangement I am after and have found for many years to work really well, involves what the DNS providers and documentation calls a blind master. That is where the machine/software that sets up the appropriate DNS records uch as MiaB does is invivible to the public. There is no NS record for it in the zone file and the SOA does not point to it. Instead, the SOA and NS records point to a set of nameservers, typically hosted as secondary servers at a DNS provider (I prefer ClouDNS but it’s a common service) for which you declare the master server(s) by IP to be your self-hosted authoritative domain.
It idea would be to have MiaB do it’s good work keeping a tight reign on the DNS records required for safe email operations, but keep the actual server away from the treacherous public DNS territory. If you have to allow anyone on the internet to access your DNS server you also allow those who seek to disrupt you or others access to your server, and believe me, I’ve seen how the attempts to cause havoc skyrockets in the space of a month if your DNS server is accessible.
To do this, in my opinion, might be really simple. I suspect all MiaB needs is a way to set a flag telling the DNS generating code to exclude ns1.box.yourdomain.tld and ns2.box.yourdomain.tld from the DNS zone files completely and only use the servers provided as secondary servers without the xfr: prefix as the nameservers. This can be verified against what the registrar has configured for the domain.
I’ve not familiar with the code (yet) but I would not be surprised to find some pretty firm assumptions being made about box.yourdomain.tld and ns1.box.yourdomain.tld that might make the change I suggest a tough one.
If I have some indication that I’m not doing this for myself only, I could fork the project, make the changes and offer a pull request when it’s done.
For clarity the fork/PR would be to define a set of secondary DNS servers which replace ns1.box… and ns2.box… in nsd configuration and the DNS records generated. The result would be that MiaB stays “in control” of DNS but the server itself becomes a blind master so that only the secondaries (at an external provider) faces the public.
Is there interest in such an option?