[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)
dom at digineo.de
Mon Jul 8 09:43:54 UTC 2019
I'm currently running pdns 4.1.1 authorative server (from Ubuntu 18.04
repositories) in master/slave mode, and manage my zones via BIND backend
(using our own DSL, dnsgit ).
To ease future TLS deployments, I'd like to use something like lego 
to get certificates from Let's Encrypt using the dns-01 challenge ;
which requires me to enable the web/api server. Issue #2400  suggests
that I'd also need a non-BIND backend.
My primary questions now are:
1. How do I restrict API access to only add/remove TXT records for
_acme-challenge labels? The docs mention an ACL ("the default ACL
before 4.1.0 allows access from everywhere" ), but it seems to
only be cabable of whitelisting CIDR lists for incoming requests
2. Given I set "launch=bind,gsqlite3", how does PDNS handle updates? I'd
like to see API patches going only to the SQLite DB, and leave the
BIND zone files untouched. Is that doable?
A collegue of mine suggested delegating _acme-challenge subdomains to a
dedicated DNS server, like acme-dns , but that still requires a bunch
of CNAME records for some (most?) of our A/AAAA records (plus a separate
server/IP just for ACME challenges)...
I'd be grateful for any input.
More information about the Pdns-users