[Pdns-users] Prevent external lookup of (private) subdomains
Brian Candler
b.candler at pobox.com
Thu Sep 23 13:44:42 UTC 2021
On 23/09/2021 14:31, informant at trinaxab.se wrote:
> I don't necessarily need to use PowerDNS for the ACME DNS server, so I might employ bind with the former plugin instead, since it's only going to be a minimal DNS configuration.
Exactly. You can stand up a separate nameserver purely for responding
to ACME challenges, and delegate to it using
intra.example.com. NS acme-ns.example.com.
You don't even need to run multiple nameservers, because the normal
RFC2182 redundancy requirements don't come into play here. That makes
answering DNS01 challenges much faster, as you don't need to wait for
updates to replicate to secondary nameservers.
If you want to issue certs for hosts which are not under
intra.example.com, you can still do so: just add static NS records like
_acme-challenge.www.example.com. NS acme-ns.example.com.
for each name that you want to issue a cert for. Best practice is to
create separate zones for these on your acme-ns nameserver, with
different TSIG keys, so that each host is only able to issue certs for
its own hostname(s).
I like this approach because you can keep your robust, static public DNS
as-is, and not have to introduce any dynamic DNS updates into it.
Regards,
Brian.
More information about the Pdns-users
mailing list