093 — Domain & DNS Setup {DevOps}
Purpose
Configure DNS records for Firebase Hosting, email delivery, domain verification, and SSL certificates. Ensure all domains resolve correctly with proper security and email functionality. [EXPLICIT]
Physics — 3 Immutable Laws
- Law of DNS Propagation: DNS changes take 1-48 hours to propagate globally. Plan changes in advance. Never change DNS during high-traffic periods. [EXPLICIT]
- Law of Record Specificity: Each record type serves one purpose. A records for hosting, MX for email, TXT for verification, CNAME for aliases. Never mix purposes. [EXPLICIT]
- Law of SSL Enforcement: All domains serve HTTPS only. HTTP redirects to HTTPS. HSTS headers enabled with 1-year max-age. [EXPLICIT]
Protocol
Phase 1 — Firebase Hosting Domain
- In Firebase Console → Hosting → Add Custom Domain. [EXPLICIT]
- Add A records in DNS provider pointing to Firebase IPs (provided in console). [EXPLICIT]
- Add TXT record for domain ownership verification. [EXPLICIT]
- Wait for SSL provisioning (Firebase uses Let's Encrypt, auto-renews). [EXPLICIT]
- Verify:
curl -I https://yourdomain.com returns Firebase hosting headers. [EXPLICIT]
Phase 2 — Email Configuration
- Add MX records for email provider (Google Workspace, Zoho, etc.). [EXPLICIT]
- Add SPF TXT record:
v=spf1 include:_spf.google.com ~all. [EXPLICIT]
- Add DKIM TXT record from email provider. [EXPLICIT]
- Add DMARC TXT record:
v=DMARC1; p=quarantine; rua=mailto:admin@domain.com. [EXPLICIT]
Phase 3 — Subdomain & Alias Setup
www CNAME → root domain (or Firebase Hosting). [EXPLICIT]api.domain.com CNAME → Cloud Functions URL or Cloud Run service. [EXPLICIT]staging.domain.com A records → staging Firebase project. [EXPLICIT]- Wildcard
*.domain.com only if needed — prefer explicit subdomains. [EXPLICIT]
I/O
| Input | Output |
|---|
| Domain name + Firebase project | A/TXT records for hosting |
| Email provider config | MX/SPF/DKIM/DMARC records |
| Subdomain requirements | CNAME records for each subdomain |
| DNS provider access | Configured zone file |
Quality Gates — 5 Checks
- A records resolve to Firebase IPs —
dig A yourdomain.com returns expected IPs. [EXPLICIT]
- SSL certificate active — no mixed content warnings, HSTS header present. [EXPLICIT]
- MX records valid —
dig MX yourdomain.com returns email provider. [EXPLICIT]
- SPF + DKIM + DMARC configured — email passes authentication checks. [EXPLICIT]
- No dangling CNAMEs — all CNAME targets are active services. [EXPLICIT]
Edge Cases
- Cloudflare proxy: Disable orange cloud (proxy) for Firebase Hosting A records — Firebase needs direct connection for SSL.
- Subdomain delegation: If subdomain managed separately, add NS records for delegation.
- CAA records: Add CAA record allowing Let's Encrypt:
0 issue "letsencrypt.org".
- TTL strategy: Set low TTL (300s) before migration, increase to 3600s after verification.
Self-Correction Triggers
- SSL not provisioning → check A records, remove Cloudflare proxy, verify TXT record.
- Email going to spam → verify SPF, DKIM, DMARC records. Test with mail-tester.com.
- Domain not resolving → check nameserver configuration, verify zone file syntax.
- Mixed content warnings → audit all asset URLs, ensure HTTPS everywhere.
Usage
Example invocations:
- "/domain-dns-setup" — Run the full domain dns setup workflow
- "domain dns setup on this project" — Apply to current context
Assumptions & Limits
- Assumes access to project artifacts (code, docs, configs) [EXPLICIT]
- Requires English-language output unless otherwise specified [EXPLICIT]
- Does not replace domain expert judgment for final decisions [EXPLICIT]