[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)
Brian Candler
b.candler at pobox.com
Mon Jul 8 10:17:37 UTC 2019
On 08/07/2019 10:43, Dominik Menke wrote:
> To ease future TLS deployments, I'd like to use something like lego
> [2] to get certificates from Let's Encrypt using the dns-01 challenge
> [3]; which requires me to enable the web/api server.
Or you can use dynamic DNS updates with TSIG:
https://doc.powerdns.com/authoritative/dnsupdate.html
https://go-acme.github.io/lego/dns/rfc2136/
>
> 1. How do I restrict API access to only add/remove TXT records for
> _acme-challenge labels?
What I do is create separate zones for each _acme-challenge.foo.bar.com,
with dynamic updates enabled. Each domain can have its own TSIG key, so
clients can only sign certificates for the names they are authorized for.
>
>
> A collegue of mine suggested delegating _acme-challenge subdomains to
> a dedicated DNS server, like acme-dns [6], but that still requires a
> bunch of CNAME records for some (most?) of our A/AAAA records (plus a
> separate server/IP just for ACME challenges)...
>
That's how I do it. However I stopped using CNAME, and switched to using
a single NS records to do the delegation to the separate server.
As a side benefit, the single NS record means you don't have to allow
for DNS replication delays. The one nameserver which accepts the
dynamic updates is also the one nameserver which Letsencrypt checks the
challenge/response against.
Regards,
Brian.
More information about the Pdns-users
mailing list