[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)

Brian Candler b.candler at pobox.com
Mon Jul 8 10:17:37 UTC 2019

On 08/07/2019 10:43, Dominik Menke wrote:
> To ease future TLS deployments, I'd like to use something like lego 
> [2] to get certificates from Let's Encrypt using the dns-01 challenge 
> [3]; which requires me to enable the web/api server.

Or you can use dynamic DNS updates with TSIG:



> 1. How do I restrict API access to only add/remove TXT records for
>    _acme-challenge labels?

What I do is create separate zones for each _acme-challenge.foo.bar.com, 
with dynamic updates enabled.  Each domain can have its own TSIG key, so 
clients can only sign certificates for the names they are authorized for.

> A collegue of mine suggested delegating _acme-challenge subdomains to 
> a dedicated DNS server, like acme-dns [6], but that still requires a 
> bunch of CNAME records for some (most?) of our A/AAAA records (plus a 
> separate server/IP just for ACME challenges)...
That's how I do it. However I stopped using CNAME, and switched to using 
a single NS records to do the delegation to the separate server.

As a side benefit, the single NS record means you don't have to allow 
for DNS replication delays.  The one nameserver which accepts the 
dynamic updates is also the one nameserver which Letsencrypt checks the 
challenge/response against.



More information about the Pdns-users mailing list