[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)
Dominik Menke
dom at digineo.de
Mon Jul 8 09:43:54 UTC 2019
Hi,
I'm currently running pdns 4.1.1 authorative server (from Ubuntu 18.04
repositories) in master/slave mode, and manage my zones via BIND backend
(using our own DSL, dnsgit [1]).
To ease future TLS deployments, I'd like to use something like lego [2]
to get certificates from Let's Encrypt using the dns-01 challenge [3];
which requires me to enable the web/api server. Issue #2400 [4] suggests
that I'd also need a non-BIND backend.
My primary questions now are:
1. How do I restrict API access to only add/remove TXT records for
_acme-challenge labels? The docs mention an ACL ("the default ACL
before 4.1.0 allows access from everywhere" [5]), but it seems to
only be cabable of whitelisting CIDR lists for incoming requests
("webserver-allow-from").
2. Given I set "launch=bind,gsqlite3", how does PDNS handle updates? I'd
like to see API patches going only to the SQLite DB, and leave the
BIND zone files untouched. Is that doable?
A collegue of mine suggested delegating _acme-challenge subdomains to a
dedicated DNS server, like acme-dns [6], but that still requires a bunch
of CNAME records for some (most?) of our A/AAAA records (plus a separate
server/IP just for ACME challenges)...
I'd be grateful for any input.
Kind Regards,
Dominik Menke
[1]: https://github.com/digineo/dnsgit
[2]: https://go-acme.github.io/lego/dns/pdns/
[3]: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
[4]: https://doc.powerdns.com/authoritative/http-api/index.html#webserver
[5]: https://github.com/PowerDNS/pdns/issues/2400
[6]: https://github.com/joohoi/acme-dns
More information about the Pdns-users
mailing list