[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)

Kevin P. Fleming kevin at km6g.us
Mon Jul 8 10:18:34 UTC 2019


It is not necessary to use the web/API server for DNS-01 challenges; I
use them all the time and don't have either of those enabled. DNS-01
can use a variety of protocols for adding/removing the necessary TXT
records, and if you choose the RFC2136 protocol you can communicate
directly with the pdns auth primary server and use its built-in
controls to restrict updating in various ways. If you need more
flexibility in restricting updates you can add a Lua script which
validates the incoming requests.

On Mon, Jul 8, 2019 at 5:43 AM Dominik Menke <dom at digineo.de> wrote:
>
> Hi,
>
> I'm currently running pdns 4.1.1 authorative server (from Ubuntu 18.04
> repositories) in master/slave mode, and manage my zones via BIND backend
> (using our own DSL, dnsgit [1]).
>
> To ease future TLS deployments, I'd like to use something like lego [2]
> to get certificates from Let's Encrypt using the dns-01 challenge [3];
> which requires me to enable the web/api server. Issue #2400 [4] suggests
> that I'd also need a non-BIND backend.
>
> My primary questions now are:
>
> 1. How do I restrict API access to only add/remove TXT records for
>     _acme-challenge labels? The docs mention an ACL ("the default ACL
>     before 4.1.0 allows access from everywhere" [5]), but it seems to
>     only be cabable of whitelisting CIDR lists for incoming requests
>     ("webserver-allow-from").
>
> 2. Given I set "launch=bind,gsqlite3", how does PDNS handle updates? I'd
>     like to see API patches going only to the SQLite DB, and leave the
>     BIND zone files untouched. Is that doable?
>
> A collegue of mine suggested delegating _acme-challenge subdomains to a
> dedicated DNS server, like acme-dns [6], but that still requires a bunch
> of CNAME records for some (most?) of our A/AAAA records (plus a separate
> server/IP just for ACME challenges)...
>
> I'd be grateful for any input.
>
> Kind Regards,
> Dominik Menke
>
>
> [1]: https://github.com/digineo/dnsgit
> [2]: https://go-acme.github.io/lego/dns/pdns/
> [3]: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
> [4]: https://doc.powerdns.com/authoritative/http-api/index.html#webserver
> [5]: https://github.com/PowerDNS/pdns/issues/2400
> [6]: https://github.com/joohoi/acme-dns
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users


More information about the Pdns-users mailing list