[Pdns-users] Best way to setup pdns for ACME challenges and "virtual" entries

Kevin P. Fleming kevin at km6g.us
Sun Mar 1 23:52:05 UTC 2020


 I have Certbot configured with the RFC2136 (DNSUPDATE) plugin
configured on a dozen machines, all of which send DNSUPDATE queries to
my pdns-auth server; works perfectly. I created a TSIG key, configured
the zones to allow that key, and enabled dynamic updates in the
pdns-auth configuration. If you can use Certbot for this, it will be
pretty easy to get working.

On Sun, Mar 1, 2020 at 3:40 PM Michael Rommel via Pdns-users
<pdns-users at mailman.powerdns.com> wrote:
>
> On 1. Mar 2020, at 21:13, Brian Candler <b.candler at pobox.com> wrote:
>
> Depends on what your letsencrypt software uses.   I use the bind backend with DDNS updates, with dehydrated.  There are some sample challenge hooks for dehydrated here, and I see all your options covered:
>
> One which uses DDNS updates: https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script
>
> One which uses the API: https://github.com/silkeh/pdns_api.sh
>
> One which uses mysql updates: https://github.com/antoiner77/dehyrated-pdns/blob/master/pdns.sh
>
> Thanks - that is a good hint to look at dehydrated - I was vaguely aware of the project, but haven't installed it since I scripted certbot.  So from your response I gather it is just a matter of preference, there are no real drawbacks. So I will reseach the ddns updates further, since that is, what I already implemented and it saves me from enabling the HTTP API, which would increase complexity...
>
> To minimise the number of moving parts, I'd start by seeing if LUA records can do what you want: https://doc.powerdns.com/authoritative/lua-records/index.html
>
> I missed that part of the documentation or better skipped it, because I have no experience with LUA, But if that gets me around running a backend, I'll look deeper into that.
>
> There are existing functions for working with dynamic forward and reverse:
>
> https://doc.powerdns.com/authoritative/lua-records/functions.html#reverse-dns-functions
>
> The documentation says that createReverse with %5% will support the A-B-C-D format you want; but createForward doesn't.  Confusingly, there is a comment in the code which says it does:
>
>       if(parts.size()==1) {
>         // either hex string, or 12-13-14-15
>         //        cout<<parts[0]<<endl;
>         unsigned int x1, x2, x3, x4;
>         if(sscanf(parts[0].c_str()+2, "%02x%02x%02x%02x", &x1, &x2, &x3, &x4)==4) {
>           return std::to_string(x1)+"."+std::to_string(x2)+"."+std::to_string(x3)+"."+std::to_string(x4);
>         }
>
>
>       }
>       return std::string("0.0.0.0");
>     });
>
> ... but I can't see anything in the code which actually parses this format.  So either this is an oversight in the code, or the comment is wrong.  It looks like it would be a pretty straightforward feature to add.
>
> If there's no way round this, then you can use the full LUA backend instead: https://doc.powerdns.com/authoritative/backends/lua2.html
>
> Nice! thanks for the pointer, Brian!
>
>   Michael.
>
> --
> Michael Rommel, Erlangen, Germany
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users


More information about the Pdns-users mailing list