ClawHub

DNS

v1.0.0

Configure DNS records correctly with proper TTLs, email authentication, and migration strategies.

2· 961·6 current·6 all-time
byIván@ivangdavila
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description claim DNS configuration guidance; the SKILL.md contains DNS TTL, DKIM/SPF/DMARC, CAA, Cloudflare, wildcard, and debugging guidance — all directly relevant. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
Instructions stay within DNS administration: recommended dig commands, record examples, and testing guidance. Commands reference network DNS queries only (dig) and suggest external testing services (mail-tester.com); they do not instruct reading arbitrary local files, accessing unrelated credentials, or transmitting data to unexpected endpoints.
Install Mechanism
No install spec and no code files — instruction-only skill. Nothing will be written to disk or downloaded by the skill itself.
Credentials
No environment variables, credentials, or config paths requested. The guidance does not require secrets or provider keys; recommended actions are manual DNS edits and public DNS queries.
Persistence & Privilege
Skill is not always-enabled and does not request persistent presence or modification of other skills or global agent settings. Autonomous invocation is allowed by platform default but this skill has no privileged access to exploit.
Assessment
This is a safe, instruction-only DNS checklist. Before using: (1) review any dig or DNS commands the agent plans to run — they perform public DNS queries and don’t access local secrets; (2) avoid pasting private keys, full zone files, or credentials into external testers (e.g., mail-tester.com); (3) when applying changes, follow your DNS provider’s UI/API and verify provider-specific behaviors (Cloudflare proxying, CNAME flattening); and (4) if you later want automated changes (API-based updates), expect the skill to require provider credentials — review those requests carefully before granting them.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🌍 Clawdis
OSLinux · macOS · Windows
latestvk974j7xj9ppc1qhbyf0j2w8td980xv5n
961downloads
2stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Linux, macOS, Windows
Iván@ivangdavila
latest
Download

Pre-Migration TTL

  • Lower TTL to 300s at least 48h before changing records—current TTL must expire first
  • Check current cached TTL before planning: dig +nocmd +noall +answer example.com
  • After migration stable 24h, raise TTL back to 3600-86400s
  • Test with multiple resolvers: Google (8.8.8.8), Cloudflare (1.1.1.1), local ISP—they cache independently

Email Authentication (All Three Required)

  • SPF alone insufficient—DKIM and DMARC both needed for deliverability
  • DMARC record: _dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
  • SPF must be single TXT record—multiple SPF records invalid; use include: for multiple sources
  • SPF ending: -all (reject) or ~all (soft fail)—never +all or ?all
  • Verify complete setup with mail-tester.com after configuration

CAA Records

  • Limits which Certificate Authorities can issue certs for domain—prevents unauthorized issuance
  • Basic: example.com. CAA 0 issue "letsencrypt.org"
  • Wildcard requires separate entry: CAA 0 issuewild "letsencrypt.org"
  • Incident reporting: CAA 0 iodef "mailto:security@example.com"
  • Without CAA, any CA can issue—set explicitly for security-conscious domains

www Handling

  • Configure both apex and www—or redirect one to other; leaving www unconfigured breaks links
  • Pick canonical form and stick to it: www → apex OR apex → www
  • HTTPS redirect requires cert for both variants before redirect works
  • Test both URLs explicitly after setup

Debugging Commands

  • dig +trace example.com—full resolution chain from root; reveals where problem occurs
  • dig @ns1.provider.com example.com—query authoritative nameserver directly, bypasses cache
  • Compare authoritative vs cached response—mismatch indicates propagation in progress
  • Check all relevant record types—A working doesn't mean AAAA, MX, or TXT are correct

Cloudflare Proxy Behavior

  • Orange cloud (proxied) hides origin IP—breaks SSH, mail, game servers; use grey cloud for non-HTTP
  • Proxied records ignore your TTL setting—Cloudflare controls caching
  • CNAME flattening at apex works in Cloudflare but causes confusion when migrating away
  • Universal SSL only on proxied records—DNS-only requires origin certificate

Wildcard Records

  • *.example.com does not match apex example.com—both need explicit records
  • Explicit subdomain record takes precedence over wildcard
  • Wildcard SSL certificates require separate issuance—use DNS challenge with Let's Encrypt

Comments

Loading comments...