What requirements am I missing to use the domain name when using SSH to connect to a server?
I created a new Linode and set up SSH, but I can only log in with the IP address and not the domain name.
This logs me in: SSH example_user@123.45.67.890
This doesn't log me in: SSH example_user@example_domain.com
Error message from running SSH example_user@example_domain.com:
ssh: Could not resolve hostname domain.com: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
Server setup steps I took that should enable the SSH example_user@example_domain.com command to work to log into the server are the following:
- Server distribution: Debian 12
- Domain setup for Hostname, IP Address, and TTL:
example_domain.com 123.45.67.890 Default example_domain.com 2600:3c06::f03c:94ff:abc0:1234 Default mail 123.45.67.890 Default mail 2600:3c06::f03c:94ff:abc0:1234 Default www 123.45.67.890 Default www 2600:3c06::f03c:94ff:abc0:1234 Default
- I added the following line to the /etc/hosts file (this is what should allow me to log into the server through SSH with the domain name):
123.45.67.890 www.example_domain.com example_domain.com - I created the ~/.ssh/authorized_keys file:
mkdir -p ~/.ssh && cd .ssh && sudo touch authorized_keys && cd .. && sudo chmod -R 700 ~/.ssh/ && sudo chmod 600 ~/.ssh/authorized_keys - I loaded the ~/.ssh/authorized_keys file with the SSH public key and confirmed that the file contained it:
scp C:\Users\sbrew\.ssh/id_ed25519.pub root@123.45.67.890:~/.ssh/authorized_keys - I updated and upgraded all packages on the server
- I restarted SSH on the Debian 12 server
- I rebooted the server
After these initial server setup steps, I still can't log in with SSH example_user@example_domain.com.
What am I missing?
2 Replies
jhartman
Linode Staff
At the most basic level, your domain entries are simple stand-ins for the actual IP address. Using a Linode and your laptop for a comparative test, what happens when you attempt to dig your domain?
dig $ENTRY.DOMAIN.TLD +short
Assuming that our name servers are configured to authoritatively resolve your domain, do you see any differences between:
dig @ns1.linode.com $ENTRY.DOMAIN.TLD +short
Versus:
dig @8.8.8.8 $ENTRY.DOMAIN.TLD +short
Is it possible that you are using DNSSEC with your domain? You can verify this status by checking the public WHOIS records associated with the domain, for example:
whois $DOMAIN.TLD | grep DNSSEC:
DNSSEC: signedDelegation // unsigned
If your domain uses DNSSEC and the signature is not signed correctly or is otherwise invalid, your domain will not resolve. For more information about DNSSEC in general and for a tool to verify your current DNSSEC signature, be sure to check the links below:
For more general steps to troubleshoot DNS issues, you may also wish to review this other guide:
jhartman, thanks for your reply. I was never aware of the dig command. That may give the answer I'm looking for, but I'm not sure what it is.
dig boldpostprojects.com +short returns my ip4 address.
dig @ns1.linode.com boldpostprojects.com +short doesn't return anything.
dig @8.8.8.8 boldpostprojects.com +short also returns my ip4 address.
whois boldpostprojects.com | grep DNSSEC: returns the following:
DNSSEC: signedDelegation
DNSSEC: signedDelegation
When running the DNSSEC Debugger, I get the following results:
Blank Section (all green check marks):
Found 2 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
com Section (all green check marks):
Found 1 DS records for com in the . zone
DS=19718/SHA-256 has algorithm ECDSAP256SHA256
Found 1 RRSIGs over DS RRset
RRSIG=20038 and DNSKEY=20038 verifies the DS RRset
Found 2 DNSKEY records for com
DS=19718/SHA-256 verifies DNSKEY=19718/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=19718 and DNSKEY=19718/SEP verifies the DNSKEY RRset
boldpostprojects.com (all green check marks except for x's)
Found 1 DS records for boldpostprojects.com in the com zone
DS=53932/SHA-256 has algorithm RSASHA256
ound 1 RRSIGs over DS RRset
RRSIG=59354 and DNSKEY=59354 verifies the DS RRset
x No DNSKEY records found
ns5.linode.com is authoritative for boldpostprojects.com
boldpostprojects.com A RR has value 172.232.5.239
x No RRSIGs found
boldpostprojects.com (all green check marks except for x's)
ns2.linode.com is authoritative for boldpostprojects.com
boldpostprojects.com A RR has value 172.232.5.239
x No RRSIGs found
boldpostprojects.com (all green check marks except for x's)
ns3.linode.com is authoritative for boldpostprojects.com
boldpostprojects.com A RR has value 172.232.5.239
x No RRSIGs found
boldpostprojects.com (all green check marks except for x's)
ns1.linode.com is authoritative for boldpostprojects.com
boldpostprojects.com A RR has value 172.232.5.239
x No RRSIGs found
boldpostprojects.com (all green check marks except for x's)
ns2.linode.com is authoritative for boldpostprojects.com
boldpostprojects.com A RR has value 172.232.5.239
x No RRSIGs found
I've read the documentation in the links you sent. I'm pretty sure I don't have to secure anything at this very early stage to be able to log in through SSH with the domain name. The troubleshooting link isn't helping me to figure out why SSH with the domain name isn't allowing me to log into the server. I must be missing something, but am not figuring it out.