What requirements am I missing to use the domain name when using SSH to connect to a server?

I created a new Linode and set up SSH, but I can only log in with the IP address and not the domain name.

This logs me in: SSH example_user@123.45.67.890
This doesn't log me in: SSH example_user@example_domain.com

Error message from running SSH example_user@example_domain.com:

ssh: Could not resolve hostname domain.com: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.

Server setup steps I took that should enable the SSH example_user@example_domain.com command to work to log into the server are the following:

  1. Server distribution: Debian 12
  2. Domain setup for Hostname, IP Address, and TTL:
example_domain.com  123.45.67.890                   Default
example_domain.com  2600:3c06::f03c:94ff:abc0:1234  Default
mail                123.45.67.890                   Default
mail                2600:3c06::f03c:94ff:abc0:1234  Default
www                 123.45.67.890                   Default
www                 2600:3c06::f03c:94ff:abc0:1234  Default
  1. I added the following line to the /etc/hosts file (this is what should allow me to log into the server through SSH with the domain name):
    123.45.67.890 www.example_domain.com example_domain.com
  2. I created the ~/.ssh/authorized_keys file:
    mkdir -p ~/.ssh && cd .ssh && sudo touch authorized_keys && cd .. && sudo chmod -R 700 ~/.ssh/ && sudo chmod 600 ~/.ssh/authorized_keys
  3. I loaded the ~/.ssh/authorized_keys file with the SSH public key and confirmed that the file contained it:
    scp C:\Users\sbrew\.ssh/id_ed25519.pub root@123.45.67.890:~/.ssh/authorized_keys
  4. I updated and upgraded all packages on the server
  5. I restarted SSH on the Debian 12 server
  6. I rebooted the server

After these initial server setup steps, I still can't log in with SSH example_user@example_domain.com.

What am I missing?

2 Replies

At the most basic level, your domain entries are simple stand-ins for the actual IP address. Using a Linode and your laptop for a comparative test, what happens when you attempt to dig your domain?

dig $ENTRY.DOMAIN.TLD +short

Assuming that our name servers are configured to authoritatively resolve your domain, do you see any differences between:

dig @ns1.linode.com $ENTRY.DOMAIN.TLD +short

Versus:

dig @8.8.8.8 $ENTRY.DOMAIN.TLD +short

Is it possible that you are using DNSSEC with your domain? You can verify this status by checking the public WHOIS records associated with the domain, for example:

whois $DOMAIN.TLD | grep DNSSEC:

DNSSEC: signedDelegation // unsigned

If your domain uses DNSSEC and the signature is not signed correctly or is otherwise invalid, your domain will not resolve. For more information about DNSSEC in general and for a tool to verify your current DNSSEC signature, be sure to check the links below:

For more general steps to troubleshoot DNS issues, you may also wish to review this other guide:

jhartman, thanks for your reply. I was never aware of the dig command. That may give the answer I'm looking for, but I'm not sure what it is.

dig boldpostprojects.com +short returns my ip4 address.

dig @ns1.linode.com boldpostprojects.com +short doesn't return anything.

dig @8.8.8.8 boldpostprojects.com +short also returns my ip4 address.

whois boldpostprojects.com | grep DNSSEC: returns the following:

DNSSEC: signedDelegation
DNSSEC: signedDelegation

When running the DNSSEC Debugger, I get the following results:

Blank Section (all green check marks):

Found 2 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset

com Section (all green check marks):

Found 1 DS records for com in the . zone
DS=19718/SHA-256 has algorithm ECDSAP256SHA256
Found 1 RRSIGs over DS RRset
RRSIG=20038 and DNSKEY=20038 verifies the DS RRset
Found 2 DNSKEY records for com
DS=19718/SHA-256 verifies DNSKEY=19718/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=19718 and DNSKEY=19718/SEP verifies the DNSKEY RRset

boldpostprojects.com (all green check marks except for x's)

Found 1 DS records for boldpostprojects.com in the com zone
DS=53932/SHA-256 has algorithm RSASHA256
ound 1 RRSIGs over DS RRset
RRSIG=59354 and DNSKEY=59354 verifies the DS RRset
x No DNSKEY records found
ns5.linode.com is authoritative for boldpostprojects.com
boldpostprojects.com A RR has value 172.232.5.239
x No RRSIGs found

boldpostprojects.com (all green check marks except for x's)

ns2.linode.com is authoritative for boldpostprojects.com
boldpostprojects.com A RR has value 172.232.5.239
x No RRSIGs found

boldpostprojects.com (all green check marks except for x's)

ns3.linode.com is authoritative for boldpostprojects.com
boldpostprojects.com A RR has value 172.232.5.239
x No RRSIGs found

boldpostprojects.com (all green check marks except for x's)

ns1.linode.com is authoritative for boldpostprojects.com
boldpostprojects.com A RR has value 172.232.5.239
x No RRSIGs found

boldpostprojects.com (all green check marks except for x's)

ns2.linode.com is authoritative for boldpostprojects.com
boldpostprojects.com A RR has value 172.232.5.239
x No RRSIGs found

I've read the documentation in the links you sent. I'm pretty sure I don't have to secure anything at this very early stage to be able to log in through SSH with the domain name. The troubleshooting link isn't helping me to figure out why SSH with the domain name isn't allowing me to log into the server. I must be missing something, but am not figuring it out.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct