<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body><div data-html-editor-font-wrapper="true" style="font-family: arial, sans-serif; font-size: 13px;">Specifically, the intention is to use a single wildcard certificate *.intra.example.com rather than one for each subdomain. I don't know if that changes anything.<br><br>(also I'm new to this mailing list business)<br><br>July 9, 2021 4:03 PM, "Brian Candler" <<a target="_blank" tabindex="-1" href="mailto:b.candler@pobox.com?to=%22Brian%20Candler%22%20<b.candler@pobox.com>">b.candler@pobox.com</a>> wrote:<br> <blockquote><div><div> <div>On 09/07/2021 14:43, informant--- via Pdns-users wrote:</div> <blockquote type="cite" cite="mid:3089114269d12189b68539695e012e91@trinaxab.se"> <span style="font-size: 12px"><span style="font-family: Tahoma,Geneva,sans-serif">I intend to set up a PowerDNS authoritative server and recursor, where a few subdomains will be forwarded to the auth server for internal use only. (local IP addresses) We do not wish to allow lookups for these domains by any external host. So far, so good.</span></span><br><br><span style="font-size: 12px"><span style="font-family: Tahoma,Geneva,sans-serif">Now, additionally, I would like to employ Let’s Encrypt certificates for these private services by using DNS wildcard challenge. This, of course, requires that the DNS server be public. My question, then, is can I set up PowerDNS in such a way that the DNS server allows the necessary lookups required to complete the DNS challenge, but prevents lookups for any subdomains by any external host?</span></span> </blockquote> <p>You have a domain like "int.example.com" where you don't want any names to be visible to the outside world, but you want to be able to obtain certificates for them. Correct?</p> </div></div></blockquote> <br><br><signature></signature> </div></body></html>