[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)
dom at digineo.de
Mon Jul 8 13:31:30 UTC 2019
On 7/8/19 12:17 PM, Brian Candler wrote:
>> To ease future TLS deployments, I'd like to use something like lego
>>  to get certificates from Let's Encrypt using the dns-01 challenge
>> ; which requires me to enable the web/api server.
> Or you can use dynamic DNS updates with TSIG:
Thanks for the pointer(s), I will have a look.
>> A collegue of mine suggested delegating _acme-challenge subdomains to
>> a dedicated DNS server, like acme-dns , but that still requires a
>> bunch of CNAME records for some (most?) of our A/AAAA records (plus a
>> separate server/IP just for ACME challenges)...
> That's how I do it. However I stopped using CNAME, and switched to using
> a single NS records to do the delegation to the separate server.
> As a side benefit, the single NS record means you don't have to allow
> for DNS replication delays. The one nameserver which accepts the
> dynamic updates is also the one nameserver which Letsencrypt checks the
> challenge/response against.
Just for clarification, in your example.com zone, you have an NS record
pointing to your "challenge DNS server", i.e.
_acme-challenge IN NS nsacme.example.org.
right? What about subdomains of example.com? Won't they need an NS
record as well?
_acme-challenge.db IN NS nsacme.example.org.
_acme-challenge.git IN NS nsacme.example.org.
(Or am I just particularly slow today? :-))
More information about the Pdns-users