[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)

[Dominik Menke]

Hi Brian,

On 7/8/19 12:17 PM, Brian Candler wrote:
>> To ease future TLS deployments, I'd like to use something like lego 
>> [2] to get certificates from Let's Encrypt using the dns-01 challenge 
>> [3]; which requires me to enable the web/api server.
> 
> Or you can use dynamic DNS updates with TSIG:

Thanks for the pointer(s), I will have a look.


>> A collegue of mine suggested delegating _acme-challenge subdomains to 
>> a dedicated DNS server, like acme-dns [6], but that still requires a 
>> bunch of CNAME records for some (most?) of our A/AAAA records (plus a 
>> separate server/IP just for ACME challenges)...
>>
> That's how I do it. However I stopped using CNAME, and switched to using 
> a single NS records to do the delegation to the separate server.
> 
> As a side benefit, the single NS record means you don't have to allow 
> for DNS replication delays.  The one nameserver which accepts the 
> dynamic updates is also the one nameserver which Letsencrypt checks the 
> challenge/response against.

Sounds plausible.

Just for clarification, in your example.com zone, you have an NS record 
pointing to your "challenge DNS server", i.e.

     _acme-challenge       IN   NS   nsacme.example.org.

right? What about subdomains of example.com? Won't they need an NS 
record as well?

     _acme-challenge.db    IN   NS   nsacme.example.org.
     _acme-challenge.git   IN   NS   nsacme.example.org.
     ; etc.

(Or am I just particularly slow today? :-))

Kind Regards,
Dominik