[Pdns-users] Zone transfert rejected in Powerdns Letsencrypt challenge
Martijn Grendelman
martijn.grendelman at isaac.nl
Wed Jun 23 09:01:36 UTC 2021
Hi,
Op 22/06/2021 om 13:46 schreef Brian Candler via Pdns-users:
> On 22/06/2021 12:33, Jan-Piet Mens via Pdns-users wrote:
>>> For Letsencrypt protocol to generate certificate I have to enable zone
>>> transfer in my powerdns.
>>
>> I think you mean "DNS Updates" for Let's Encrypt dns-01, but I don't
>> believe these are possible in PowerDNS with the LDAP backend.
>
> Possibly, although the OP was specifically testing AXFR.
>
> Regarding the separate issue of DNS updates, the way I deal with this is:
>
> 1. I run a separate nameserver for Letsencrypt use only (say
> "acme-ns.example.net")
>
[snip]
>
> 4. I give that secret to the server that wants to obtain a certificate.
I realize that my comment here is off-topic and has really nothing to do
with PowerDNS, but... At first I was triggered by the setup that
Brian described, but when I compared the concept with how I have set
things up, I really couldn't see the advantage of running a separate
nameserver, so I thought I'd put my 2 cents worth out here.
Instead of having web servers run Certbot themselves, using temporary
secrets for DNS updates, I just have a single server doing all the
LetsEncrypt stuff. In my case, it's the Puppet server, but it could just
as well be the name server itself. The webservers then requests a
certificate, not with certbot, but through some other mechanism, with
the central server, which obtains the certificate and serves it to the
webserver. This way, no untrusted DNS updates are ever necessary.
While 'some other mechanism' and 'serves it to the webserver' might
sound like complexity that is in the same leage as running a separate
DNS server, it really isn't when you use Puppet or some other config
management tool to manage your vhosts. The code that manages the vhosts
calls Certbot on the Puppet server and uses Puppet's built-in file
server to serve the result to the requesting client. All the
functionality is just there, out of the box, except for one simple
wrapper script that does some sanity checking before actually running
Certbot.
Cheers,
Martijn.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210623/4cf368a9/attachment.htm>
More information about the Pdns-users
mailing list