caddy-dynamicdns icon indicating copy to clipboard operation
caddy-dynamicdns copied to clipboard
verified publisher icon mholt

Ability to exclude subdomains when using dynamic domains

Open matthewpi opened this issue 8 months ago • 1 comments

Right now when you use dynamic domains you must specify the zone you want records to be created for (using the domains directive), but once the zone is specified, there is no way to filter out what records will be created.

For example, with Caddy 2.10.0 and https://github.com/caddyserver/caddy/pull/6959 it is now possible to have individual site-blocks be scoped with a wild-card certificate. In my homelab setup I have multiple servers running under the same domain with individual subdomains going to separate servers, but each server has a wildcard certificate for the same domain. This means that my DNS records consist of individual A/AAAA records to whatever server has a route for that host.

My Caddyfile currently looks something like:

{
	acme_dns cloudflare {file.{$CF_API_TOKEN_FILE}}
	dns cloudflare {file.{$CF_API_TOKEN_FILE}}
	ech ech.example.net

	dynamic_dns {
		provider cloudflare {file.{$CF_API_TOKEN_FILE}}
		ip_source static 1.1.1.1 2606:4700:4700::1111
		dynamic_domains
		domains {
			example.com
		}
	}
}

&(404) {
	respond "404 route not found" 404 {
		close
	}
}

*.example.com {
	tls {
		dns cloudflare {file.{$CF_API_TOKEN_FILE}}
	}

	# Fallback for unhandled domains
	invoke 404
}

attic.example.com {
	# ...
}

{$HOSTNAME}.example.com {
	# ...
}

However, this creates a problem. Dynamic DNS will create a record for both the root domain @ and also the wildcard, both of which I do not want. Ideally for my setup, dynamic_domains should only create records for domains explicitly configured as a site-blocks in the config.

I see a few ways to solve these problems, each with their own different benefits and drawbacks.

Most of these changes only relate to dynamic_domains as if you are explicitly listing what domains/subdomains you want created, none of these changes really apply.

  1. Add a parameter to dynamic_domains that could take the following values:

    1. all (the default) this would be the same as the current behaviour and could be implied if no option is explicitly set.
    2. ignore_wildcards, which would be similar to the current logic except no wildcard domains will be created.
    3. explicit, will only create records for domains explicitly configured as a site-block, even if specified under domains.

  2. Add the ability to negate values from the domains section.

    1. By default a record will be created for the root of the domain if no subdomains are explicitly specified, but in order to do that you would need to specify at least one subdomain (even if you are using dynamic_domains) which I believe goes against the idea of using dynamic_domains. It's one thing to need to specify the root domain in domains to have records be created for it, but if dynamic_domains is enabled, records should only be created for the domain (or subdomains) if a site-block explicitly exists matching that domain.
    2. Being able to exclude subdomains is useful as an alternative to the dynamic_domains ignore_wildcards option I mentioned earlier. Right now my main issue is records are created for the root domain and the wildcard when I don't want them to. Being able to exclude the the root and-or subdomains (including the wildcard) from being created would be another way of solving this problem.

Either of these options would be able to solve this problem.

What do you think?

Apologies if some of the explanations are a bit rough, this is a pure brain dump I wrote this after a long day of fixing issues and tracing problems. If you need any clarification or additional information, I am more than willing to provide it.

matthewpi avatar Apr 19 '25 01:04 matthewpi

Thanks for this -- just catching up on things but your PR is back at the top of my inbox, so, it hopefully won't be long :)

mholt avatar Apr 22 '25 20:04 mholt