[Pdns-users] Zone transfert rejected in Powerdns Letsencrypt challenge

Brian Candler b.candler at pobox.com
Tue Jun 22 11:46:28 UTC 2021

On 22/06/2021 12:33, Jan-Piet Mens via Pdns-users wrote:
>> For Letsencrypt protocol to generate certificate I have to enable zone
>> transfer in my powerdns.
> I think you mean "DNS Updates" for Let's Encrypt dns-01, but I don't
> believe these are possible in PowerDNS with the LDAP backend. 

Possibly, although the OP was specifically testing AXFR.

Regarding the separate issue of DNS updates, the way I deal with this is:

1. I run a separate nameserver for Letsencrypt use only (say 

2. For every domain I want a cert for (say "foo.example.com"), I 
statically add an NS record in my main DNS, pointing at that server:

_acme-challenge.foo.example.com.  NS    acme-ns.example.net.

3. I create empty zone "_acme-challenge.foo.example.com" on 
"acme-ns.example.net", with a random TSIG secret for DNS updates.

4. I give that secret to the server that wants to obtain a certificate.

It doesn't actually matter what nameserver you use for 
acme-ns.example.net, because the data stored within it is completely 
transitory.  Even something with a RAM backend would be fine.  I happen 
to use bind9 because it was easy to set up; I didn't want to use a 
database, and the powerdns bind backend doesn't support DNS updates 

With this approach, there's no risk that the target server could ever 
modify any record in the production DNS, accidentally or maliciously.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210622/6609e8fb/attachment.htm>

More information about the Pdns-users mailing list