<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 22/06/2021 12:33, Jan-Piet Mens via
Pdns-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:YNHKfIDVZLFIhdXi@rabbit.ww.mens.de">
<blockquote type="cite" style="color: #007cff;">For Letsencrypt
protocol to generate certificate I have to enable zone
<br>
transfer in my powerdns.
<br>
</blockquote>
<br>
I think you mean "DNS Updates" for Let's Encrypt dns-01, but I
don't
<br>
believe these are possible in PowerDNS with the LDAP backend.
</blockquote>
<p>Possibly, although the OP was specifically testing AXFR.</p>
<p>Regarding the separate issue of DNS updates, the way I deal with
this is:</p>
<p>1. I run a separate nameserver for Letsencrypt use only (say
"acme-ns.example.net")<br>
</p>
<p>2. For every domain I want a cert for (say "foo.example.com"), I
statically add an NS record in my main DNS, pointing at that
server:</p>
<p>_acme-challenge.foo.example.com. NS acme-ns.example.net.</p>
<p>3. I create empty zone "_acme-challenge.foo.example.com" on
"acme-ns.example.net", with a random TSIG secret for DNS updates.</p>
<p>4. I give that secret to the server that wants to obtain a
certificate.<br>
</p>
<p>It doesn't actually matter what nameserver you use for
acme-ns.example.net, because the data stored within it is
completely transitory. Even something with a RAM backend would be
fine. I happen to use bind9 because it was easy to set up; I
didn't want to use a database, and the powerdns bind backend
doesn't support <a moz-do-not-send="true"
href="https://doc.powerdns.com/authoritative/dnsupdate.html">DNS
updates</a>.</p>
<p>With this approach, there's no risk that the target server could
ever modify any record in the production DNS, accidentally or
maliciously.<br>
</p>
</body>
</html>