[Pdns-users] Zone transfert rejected in Powerdns Letsencrypt challenge
Brian Candler
b.candler at pobox.com
Tue Jun 22 11:46:28 UTC 2021
On 22/06/2021 12:33, Jan-Piet Mens via Pdns-users wrote:
>> For Letsencrypt protocol to generate certificate I have to enable zone
>> transfer in my powerdns.
>
> I think you mean "DNS Updates" for Let's Encrypt dns-01, but I don't
> believe these are possible in PowerDNS with the LDAP backend.
Possibly, although the OP was specifically testing AXFR.
Regarding the separate issue of DNS updates, the way I deal with this is:
1. I run a separate nameserver for Letsencrypt use only (say
"acme-ns.example.net")
2. For every domain I want a cert for (say "foo.example.com"), I
statically add an NS record in my main DNS, pointing at that server:
_acme-challenge.foo.example.com. NS acme-ns.example.net.
3. I create empty zone "_acme-challenge.foo.example.com" on
"acme-ns.example.net", with a random TSIG secret for DNS updates.
4. I give that secret to the server that wants to obtain a certificate.
It doesn't actually matter what nameserver you use for
acme-ns.example.net, because the data stored within it is completely
transitory. Even something with a RAM backend would be fine. I happen
to use bind9 because it was easy to set up; I didn't want to use a
database, and the powerdns bind backend doesn't support DNS updates
<https://doc.powerdns.com/authoritative/dnsupdate.html>.
With this approach, there's no risk that the target server could ever
modify any record in the production DNS, accidentally or maliciously.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210622/6609e8fb/attachment.htm>
More information about the Pdns-users
mailing list