[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)

Dominik Menke dom at digineo.de
Mon Jul 8 09:43:54 UTC 2019


I'm currently running pdns 4.1.1 authorative server (from Ubuntu 18.04 
repositories) in master/slave mode, and manage my zones via BIND backend 
(using our own DSL, dnsgit [1]).

To ease future TLS deployments, I'd like to use something like lego [2] 
to get certificates from Let's Encrypt using the dns-01 challenge [3]; 
which requires me to enable the web/api server. Issue #2400 [4] suggests 
that I'd also need a non-BIND backend.

My primary questions now are:

1. How do I restrict API access to only add/remove TXT records for
    _acme-challenge labels? The docs mention an ACL ("the default ACL
    before 4.1.0 allows access from everywhere" [5]), but it seems to
    only be cabable of whitelisting CIDR lists for incoming requests

2. Given I set "launch=bind,gsqlite3", how does PDNS handle updates? I'd
    like to see API patches going only to the SQLite DB, and leave the
    BIND zone files untouched. Is that doable?

A collegue of mine suggested delegating _acme-challenge subdomains to a 
dedicated DNS server, like acme-dns [6], but that still requires a bunch 
of CNAME records for some (most?) of our A/AAAA records (plus a separate 
server/IP just for ACME challenges)...

I'd be grateful for any input.

Kind Regards,
Dominik Menke

[1]: https://github.com/digineo/dnsgit
[2]: https://go-acme.github.io/lego/dns/pdns/
[3]: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
[4]: https://doc.powerdns.com/authoritative/http-api/index.html#webserver
[5]: https://github.com/PowerDNS/pdns/issues/2400
[6]: https://github.com/joohoi/acme-dns

More information about the Pdns-users mailing list