[Pdns-users] Prevent external lookup of (private) subdomains

Brian Candler b.candler at pobox.com
Thu Sep 23 13:44:42 UTC 2021

On 23/09/2021 14:31, informant at trinaxab.se wrote:
> I don't necessarily need to use PowerDNS for the ACME DNS server, so I might employ bind with the former plugin instead, since it's only going to be a minimal DNS configuration.

Exactly.  You can stand up a separate nameserver purely for responding 
to ACME challenges, and delegate to it using

intra.example.com.  NS  acme-ns.example.com.

You don't even need to run multiple nameservers, because the normal 
RFC2182 redundancy requirements don't come into play here. That makes 
answering DNS01 challenges much faster, as you don't need to wait for 
updates to replicate to secondary nameservers.

If you want to issue certs for hosts which are not under 
intra.example.com, you can still do so: just add static NS records like

_acme-challenge.www.example.com. NS acme-ns.example.com.

for each name that you want to issue a cert for.  Best practice is to 
create separate zones for these on your acme-ns nameserver, with 
different TSIG keys, so that each host is only able to issue certs for 
its own hostname(s).

I like this approach because you can keep your robust, static public DNS 
as-is, and not have to introduce any dynamic DNS updates into it.



More information about the Pdns-users mailing list