[Pdns-users] Zone transfert rejected in Powerdns Letsencrypt challenge

Martijn Grendelman martijn.grendelman at isaac.nl
Wed Jun 23 09:01:36 UTC 2021


Op 22/06/2021 om 13:46 schreef Brian Candler via Pdns-users:
> On 22/06/2021 12:33, Jan-Piet Mens via Pdns-users wrote:
>>> For Letsencrypt protocol to generate certificate I have to enable zone
>>> transfer in my powerdns.
>> I think you mean "DNS Updates" for Let's Encrypt dns-01, but I don't
>> believe these are possible in PowerDNS with the LDAP backend. 
> Possibly, although the OP was specifically testing AXFR.
> Regarding the separate issue of DNS updates, the way I deal with this is:
> 1. I run a separate nameserver for Letsencrypt use only (say 
> "acme-ns.example.net")
> 4. I give that secret to the server that wants to obtain a certificate.

I realize that my comment here is off-topic and has really nothing to do 
with PowerDNS, but...    At first I was triggered by the setup that 
Brian described, but when I compared the concept with how I have set 
things up, I really couldn't see the advantage of running a separate 
nameserver, so I thought I'd put my 2 cents worth out here.

Instead of having web servers run Certbot themselves, using temporary 
secrets for DNS updates, I just have a single server doing all the 
LetsEncrypt stuff. In my case, it's the Puppet server, but it could just 
as well be the name server itself. The webservers then requests a 
certificate, not with certbot, but through some other mechanism, with 
the central server, which obtains the certificate and serves it to the 
webserver. This way, no untrusted DNS updates are ever necessary.

While 'some other mechanism' and 'serves it to the webserver' might 
sound like complexity that is in the same leage as running a separate 
DNS server, it really isn't when you use Puppet or some other config 
management tool to manage your vhosts. The code that manages the vhosts 
calls Certbot on the Puppet server and uses Puppet's built-in file 
server to serve the result to the requesting client. All the 
functionality is just there, out of the box, except for one simple 
wrapper script that does some sanity checking before actually running 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210623/4cf368a9/attachment.htm>

More information about the Pdns-users mailing list