I have one domain with many subdomains, and some subdomains have sub subdomains. Let me clarify with the following structure: - domain.com --- subdomain1.com --> client C2 ------ sub1.subdomain1.com ------ sub2.subdomain1.com --- subdomain2.com --> client C3 --- subdomain3.com --> client C4 ------ sub.subdomain3.com --- subdomain4.com --> client C5 --- etc There are two ways in creating DNS zone for all of those. First, Admin (C1) creates both clients (C2-C5) and websites for subdomains (subdomain1.com- subdomain4.com). Admin then create DNS records for all of them. So, the DNS zone is only one (domain.com DNS Zone) in Admin interface. Second, Admin only create clients, and then the clients will create their own websites and DNS zones. In Admin interface, there will be many DNS zones (domain.com DNS zone, subdomain1.com DNS zone, subdomain2.com DNS zone, etc). In both choices, clients can create sub subdomains and DNS zone/records (e.g. client C2 can create sub1.subdomain.com, sub2.subdomain.com, etc). My question is, for production site and good practices, which one is better regarding DNS zone? The first way, or the second one? I would like to use one Wildcard SSL Certificate for all of those websites. Do you think wildcard SSL will work for both ways? Will the wildcard SSL also work for sub subdomains (sub1.subdomain.com, sub2.subdomain.com, etc)? Thank you in advance.
Both ways are possible, I'd say. Wildcard ssl like LE should work on both root domain and wildcard subdomain as well as on its root subdomain and wildcard sub subdomain. I did write somewhere in here about wildcard for LE SSL and how to obtain it which I think can be applied for the above purpose.
Thanks ahrasis. I asked this because I will use a paid wildcard ssl donated by someone, but the domain is not ready yet due to server migration process. My concern is just its application in sub subdomains. Hope it would wok for such a certificate.
Which is better in term of administration and security? I read an article regarding DNS cache: "Attackers can exploit this feature [DNS cache] by altering the stored information." More DNZ zone in Admin interface, meaning more DNS cache? More chances to be attacked?
