[Pdns-users] Best way to setup pdns for ACME challenges and "virtual" entries

Michael Rommel rommel at layer-7.net
Sun Mar 1 19:28:53 UTC 2020


Dear all,

I have an application that would benefit from a setup like Plex' Secure Server connections. In short words, they use wildcard DNS records where the name of the resource record conforms to a syntax conveying the IP address, the record shall resolve to, for instance 10-0-1-13.someuuidforthedevice-abcdef.example.com.

The device gets a certificate for *. someuuidforthedevice-abcdef.example.com
When someone asks the DNS for 10-0-1-13.someuuidforthedevice-abcdef.example.com. they get an A record for 10.0.1.13 back.

In order to make this setup work with letsencrypt, two challenges arise:

1. the easy one: put the challenge of ACME into the DNS at runtime. Now, I did this previously with isc-bind and used the dynamic dns update feature for the relevant zone. Since I have not yet hands-on-experience with pdsn, I am asking for the correct way to implement this. I read that I can use three different ways to accomplish that:
a) dynamic DNS updates 
b) the HTTP API
c) inserting the record directly into the backend database, but I would have to make sure that no previous query to that record had been sent to pdns, otherwise it could respond from the cache.
What is the best way to do it?

2. the hard one: how can an answer to a A RR query be synthesized from the queried name? My current way of thinking is to use the remote backend and write a node.js application (with ZeroMQ, as that's what I am familiar with) that answers these questions.
My question to you all would here be: is this a stable setup with pdns? Is the remote backend interface widely used and battle tested? Or is this an uncommon thing and I am probably running into trouble? The scale of my application is, that there would be something like 500.000 devices out there, not more.

Thank you in advance for your insights!

  Michael.

-- 
Michael Rommel, Erlangen, Germany
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200301/4682f8e9/attachment.htm>


More information about the Pdns-users mailing list