<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 01/03/2020 19:28, Michael Rommel via
Pdns-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:53A140E1-6B17-4E3D-A714-B429C93998E0@layer-7.net">
<div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">1.
the easy one: put the challenge of ACME into the DNS at
runtime. Now, I did this previously with isc-bind and used the
dynamic dns update feature for the relevant zone. Since I have
not yet hands-on-experience with pdsn, I am asking for the
correct way to implement this. I read that I can use three
different ways to accomplish that:</span></div>
<div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">a)
dynamic DNS updates </span></div>
<div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">b)
the HTTP API</span></div>
<div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">c)
inserting the record directly into the backend database, but I
would have to make sure that no previous query to that record
had been sent to pdns, otherwise it could respond from the
cache.</span></div>
<div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">What
is the best way to do it?</span></div>
<div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br>
</span></div>
</blockquote>
<p>Depends on what your letsencrypt software uses. I use the bind
backend with DDNS updates, with dehydrated. There are some sample
challenge hooks for dehydrated <a moz-do-not-send="true"
href="https://github.com/dehydrated-io/dehydrated/wiki">here</a>,
and I see all your options covered:<br>
</p>
<p>One which uses DDNS updates: <a
href="https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script">https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script</a></p>
<p>One which uses the API: <a
href="https://github.com/silkeh/pdns_api.sh">https://github.com/silkeh/pdns_api.sh</a></p>
<p>One which uses mysql updates: <a
href="https://github.com/antoiner77/dehyrated-pdns/blob/master/pdns.sh">https://github.com/antoiner77/dehyrated-pdns/blob/master/pdns.sh</a></p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:53A140E1-6B17-4E3D-A714-B429C93998E0@layer-7.net">
<div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">2.
the hard one: how can an answer to a A RR query be synthesized
from the queried name? My current way of thinking is to use
the remote backend and write a node.js application (with
ZeroMQ, as that's what I am familiar with) that answers these
questions.</span></div>
<div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">My
question to you all would here be: is this a stable setup with
pdns? Is the remote backend interface widely used and battle
tested? Or is this an uncommon thing and I am probably running
into trouble? The scale of my application is, that there would
be something like 500.000 devices out there, not more.</span></div>
<div><font color="#000000"><span style="caret-color: rgb(0, 0,
0);"><br>
</span></font></div>
</blockquote>
<p>To minimise the number of moving parts, I'd start by seeing if
LUA records can do what you want: <a
href="https://doc.powerdns.com/authoritative/lua-records/index.html">https://doc.powerdns.com/authoritative/lua-records/index.html</a></p>
<p>There are existing functions for working with dynamic forward and
reverse:<br>
</p>
<p><a
href="https://doc.powerdns.com/authoritative/lua-records/functions.html#reverse-dns-functions">https://doc.powerdns.com/authoritative/lua-records/functions.html#reverse-dns-functions</a></p>
<p>The documentation says that createReverse with %5% will support
the A-B-C-D format you want; but createForward doesn't.
Confusingly, there is a <a moz-do-not-send="true"
href="https://github.com/PowerDNS/pdns/blob/master/pdns/lua-record.cc#L612">comment
in the code</a> which says it does:<br>
</p>
<p><tt> if(parts.size()==1) {</tt><tt><br>
</tt><tt> // either hex string, <font color="#ff0000"><b>or
12-13-14-15</b></font></tt><tt><br>
</tt><tt> // cout<<parts[0]<<endl;</tt><tt><br>
</tt><tt> unsigned int x1, x2, x3, x4;</tt><tt><br>
</tt><tt> if(sscanf(parts[0].c_str()+2, "%02x%02x%02x%02x",
&x1, &x2, &x3, &x4)==4) {</tt><tt><br>
</tt><tt> return
std::to_string(x1)+"."+std::to_string(x2)+"."+std::to_string(x3)+"."+std::to_string(x4);</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> return std::string("0.0.0.0");</tt><tt><br>
</tt><tt> });</tt><br>
</p>
<p>... but I can't see anything in the code which actually parses
this format. So either this is an oversight in the code, or the
comment is wrong. It looks like it would be a pretty
straightforward feature to add.<br>
</p>
<p>If there's no way round this, then you can use the full LUA
backend instead: <a
href="https://doc.powerdns.com/authoritative/backends/lua2.html">https://doc.powerdns.com/authoritative/backends/lua2.html</a></p>
<p><br>
</p>
</body>
</html>