[Pdns-users] Web API for dns-01 challenge (_acme-challenge subdomains)
Brian Candler
b.candler at pobox.com
Mon Jul 8 16:03:55 UTC 2019
On 08/07/2019 14:31, Dominik Menke wrote:
>
> Just for clarification, in your example.com zone, you have an NS
> record pointing to your "challenge DNS server", i.e.
>
> _acme-challenge IN NS nsacme.example.org.
>
> right? What about subdomains of example.com? Won't they need an NS
> record as well?
>
> _acme-challenge.db IN NS nsacme.example.org.
> _acme-challenge.git IN NS nsacme.example.org.
> ; etc.
That's correct: a separate NS record for each domain you want a
certificate for. This is static, so you just add it manually the first
time you want a certificate.
The top-level one should also allow you to get a wildcard certificate
<https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579>,
but I've not tried that yet.
Note that if you have split DNS, e.g. where "int.example.org" is an
internal domain on hidden private DNS servers, then on the outside you
can just have a single NS record:
int IN NS nsacme.example.org.
Regards,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190708/f16f01c4/attachment.html>
More information about the Pdns-users
mailing list