[Pdns-users] Best way to setup pdns for ACME challenges and "virtual" entries

Brian Candler b.candler at pobox.com
Sun Mar 1 20:13:38 UTC 2020


On 01/03/2020 19:28, Michael Rommel via Pdns-users wrote:
> 1. the easy one: put the challenge of ACME into the DNS at runtime. 
> Now, I did this previously with isc-bind and used the dynamic dns 
> update feature for the relevant zone. Since I have not yet 
> hands-on-experience with pdsn, I am asking for the correct way to 
> implement this. I read that I can use three different ways to 
> accomplish that:
> a) dynamic DNS updates
> b) the HTTP API
> c) inserting the record directly into the backend database, but I 
> would have to make sure that no previous query to that record had been 
> sent to pdns, otherwise it could respond from the cache.
> What is the best way to do it?
>
Depends on what your letsencrypt software uses.   I use the bind backend 
with DDNS updates, with dehydrated.  There are some sample challenge 
hooks for dehydrated here 
<https://github.com/dehydrated-io/dehydrated/wiki>, and I see all your 
options covered:

One which uses DDNS updates: 
https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script

One which uses the API: https://github.com/silkeh/pdns_api.sh

One which uses mysql updates: 
https://github.com/antoiner77/dehyrated-pdns/blob/master/pdns.sh


> 2. the hard one: how can an answer to a A RR query be synthesized from 
> the queried name? My current way of thinking is to use the remote 
> backend and write a node.js application (with ZeroMQ, as that's what I 
> am familiar with) that answers these questions.
> My question to you all would here be: is this a stable setup with 
> pdns? Is the remote backend interface widely used and battle tested? 
> Or is this an uncommon thing and I am probably running into trouble? 
> The scale of my application is, that there would be something like 
> 500.000 devices out there, not more.
>
To minimise the number of moving parts, I'd start by seeing if LUA 
records can do what you want: 
https://doc.powerdns.com/authoritative/lua-records/index.html

There are existing functions for working with dynamic forward and reverse:

https://doc.powerdns.com/authoritative/lua-records/functions.html#reverse-dns-functions

The documentation says that createReverse with %5% will support the 
A-B-C-D format you want; but createForward doesn't. Confusingly, there 
is a comment in the code 
<https://github.com/PowerDNS/pdns/blob/master/pdns/lua-record.cc#L612> 
which says it does:

       if(parts.size()==1) {
         // either hex string, *or 12-13-14-15*
         //        cout<<parts[0]<<endl;
         unsigned int x1, x2, x3, x4;
         if(sscanf(parts[0].c_str()+2, "%02x%02x%02x%02x", &x1, &x2, 
&x3, &x4)==4) {
           return 
std::to_string(x1)+"."+std::to_string(x2)+"."+std::to_string(x3)+"."+std::to_string(x4);
         }


       }
       return std::string("0.0.0.0");
     });

... but I can't see anything in the code which actually parses this 
format.  So either this is an oversight in the code, or the comment is 
wrong.  It looks like it would be a pretty straightforward feature to add.

If there's no way round this, then you can use the full LUA backend 
instead: https://doc.powerdns.com/authoritative/backends/lua2.html


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200301/c55805eb/attachment.htm>


More information about the Pdns-users mailing list