[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)
Kevin P. Fleming
kevin at km6g.us
Mon Jul 8 10:18:34 UTC 2019
It is not necessary to use the web/API server for DNS-01 challenges; I
use them all the time and don't have either of those enabled. DNS-01
can use a variety of protocols for adding/removing the necessary TXT
records, and if you choose the RFC2136 protocol you can communicate
directly with the pdns auth primary server and use its built-in
controls to restrict updating in various ways. If you need more
flexibility in restricting updates you can add a Lua script which
validates the incoming requests.
On Mon, Jul 8, 2019 at 5:43 AM Dominik Menke <dom at digineo.de> wrote:
> I'm currently running pdns 4.1.1 authorative server (from Ubuntu 18.04
> repositories) in master/slave mode, and manage my zones via BIND backend
> (using our own DSL, dnsgit ).
> To ease future TLS deployments, I'd like to use something like lego 
> to get certificates from Let's Encrypt using the dns-01 challenge ;
> which requires me to enable the web/api server. Issue #2400  suggests
> that I'd also need a non-BIND backend.
> My primary questions now are:
> 1. How do I restrict API access to only add/remove TXT records for
> _acme-challenge labels? The docs mention an ACL ("the default ACL
> before 4.1.0 allows access from everywhere" ), but it seems to
> only be cabable of whitelisting CIDR lists for incoming requests
> 2. Given I set "launch=bind,gsqlite3", how does PDNS handle updates? I'd
> like to see API patches going only to the SQLite DB, and leave the
> BIND zone files untouched. Is that doable?
> A collegue of mine suggested delegating _acme-challenge subdomains to a
> dedicated DNS server, like acme-dns , but that still requires a bunch
> of CNAME records for some (most?) of our A/AAAA records (plus a separate
> server/IP just for ACME challenges)...
> I'd be grateful for any input.
> Kind Regards,
> Dominik Menke
> : https://github.com/digineo/dnsgit
> : https://go-acme.github.io/lego/dns/pdns/
> : https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
> : https://doc.powerdns.com/authoritative/http-api/index.html#webserver
> : https://github.com/PowerDNS/pdns/issues/2400
> : https://github.com/joohoi/acme-dns
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
More information about the Pdns-users