DNSDNS配置管理

Pre-Migration TTL

• - Lower TTL to 300s at least 48h before changing records—current TTL must expire first
• Check current cached TTL before planning: INLINECODE0
• After migration stable 24h, raise TTL back to 3600-86400s
• Test with multiple resolvers: Google (8.8.8.8), Cloudflare (1.1.1.1), local ISP—they cache independently

Email Authentication (All Three Required)

• - SPF alone insufficient—DKIM and DMARC both needed for deliverability
• DMARC record: INLINECODE1
• SPF must be single TXT record—multiple SPF records invalid; use include: for multiple sources
• SPF ending: -all (reject) or ~all (soft fail)—never +all or INLINECODE6
• Verify complete setup with mail-tester.com after configuration

CAA Records

• - Limits which Certificate Authorities can issue certs for domain—prevents unauthorized issuance
• Basic: INLINECODE7
• Wildcard requires separate entry: INLINECODE8
• Incident reporting: INLINECODE9
• Without CAA, any CA can issue—set explicitly for security-conscious domains

www Handling

• - Configure both apex and www—or redirect one to other; leaving www unconfigured breaks links
• Pick canonical form and stick to it: www → apex OR apex → www
• HTTPS redirect requires cert for both variants before redirect works
• Test both URLs explicitly after setup

Debugging Commands

• - dig +trace example.com—full resolution chain from root; reveals where problem occurs
• INLINECODE11—query authoritative nameserver directly, bypasses cache
• Compare authoritative vs cached response—mismatch indicates propagation in progress
• Check all relevant record types—A working doesn't mean AAAA, MX, or TXT are correct

Cloudflare Proxy Behavior

• - Orange cloud (proxied) hides origin IP—breaks SSH, mail, game servers; use grey cloud for non-HTTP
• Proxied records ignore your TTL setting—Cloudflare controls caching
• CNAME flattening at apex works in Cloudflare but causes confusion when migrating away
• Universal SSL only on proxied records—DNS-only requires origin certificate

Wildcard Records

• - *.example.com does not match apex example.com—both need explicit records
• Explicit subdomain record takes precedence over wildcard
• Wildcard SSL certificates require separate issuance—use DNS challenge with Let's Encrypt