<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
Hi,<br>
<br>
Op 22/06/2021 om 13:46 schreef Brian Candler via Pdns-users:<br>
<blockquote type="cite" cite="mid:531a5023-ff36-4af1-5fe7-6adf7a6e0178@pobox.com">
<div class="moz-cite-prefix">On 22/06/2021 12:33, Jan-Piet Mens
via Pdns-users wrote:<br>
</div>
<blockquote type="cite" cite="mid:YNHKfIDVZLFIhdXi@rabbit.ww.mens.de">
<blockquote type="cite" style="color: #007cff;">For Letsencrypt
protocol to generate certificate I have to enable zone <br>
transfer in my powerdns. <br>
</blockquote>
<br>
I think you mean "DNS Updates" for Let's Encrypt dns-01, but I
don't <br>
believe these are possible in PowerDNS with the LDAP backend. </blockquote>
<p>Possibly, although the OP was specifically testing AXFR.</p>
<p>Regarding the separate issue of DNS updates, the way I deal
with this is:</p>
<p>1. I run a separate nameserver for Letsencrypt use only (say
"acme-ns.example.net")<br>
</p>
</blockquote>
[snip]<br>
<blockquote type="cite" cite="mid:531a5023-ff36-4af1-5fe7-6adf7a6e0178@pobox.com">
<p> </p>
4. I give that secret to the server that wants to obtain a
certificate.<br>
</blockquote>
<br>
I realize that my comment here is off-topic and has really nothing
to do with PowerDNS, but... At first I was triggered by the setup
that Brian described, but when I compared the concept with how I
have set things up, I really couldn't see the advantage of running a
separate nameserver, so I thought I'd put my 2 cents worth out here.<br>
<br>
Instead of having web servers run Certbot themselves, using
temporary secrets for DNS updates, I just have a single server doing
all the LetsEncrypt stuff. In my case, it's the Puppet server, but
it could just as well be the name server itself. The webservers then
requests a certificate, not with certbot, but through some other
mechanism, with the central server, which obtains the certificate
and serves it to the webserver. This way, no untrusted DNS updates
are ever necessary.<br>
<br>
While 'some other mechanism' and 'serves it to the webserver' might
sound like complexity that is in the same leage as running a
separate DNS server, it really isn't when you use Puppet or some
other config management tool to manage your vhosts. The code that
manages the vhosts calls Certbot on the Puppet server and uses
Puppet's built-in file server to serve the result to the requesting
client. All the functionality is just there, out of the box, except
for one simple wrapper script that does some sanity checking before
actually running Certbot.<br>
<br>
Cheers,<br>
Martijn.<br>
<div class="moz-signature">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<div id="Signature"></div>
</div>
</div>
</body>
</html>