Hi Brian,

On 7/8/19 12:17 PM, Brian Candler wrote:
To ease future TLS deployments, I'd like to use something like lego [2] to get certificates from Let's Encrypt using the dns-01 challenge [3]; which requires me to enable the web/api server.

Or you can use dynamic DNS updates with TSIG:

Thanks for the pointer(s), I will have a look.


A collegue of mine suggested delegating _acme-challenge subdomains to a dedicated DNS server, like acme-dns [6], but that still requires a bunch of CNAME records for some (most?) of our A/AAAA records (plus a separate server/IP just for ACME challenges)...

That's how I do it. However I stopped using CNAME, and switched to using a single NS records to do the delegation to the separate server.

As a side benefit, the single NS record means you don't have to allow for DNS replication delays.  The one nameserver which accepts the dynamic updates is also the one nameserver which Letsencrypt checks the challenge/response against.

Sounds plausible.

Just for clarification, in your example.com zone, you have an NS record pointing to your "challenge DNS server", i.e.

    _acme-challenge       IN   NS   nsacme.example.org.

right? What about subdomains of example.com? Won't they need an NS record as well?

    _acme-challenge.db    IN   NS   nsacme.example.org.
    _acme-challenge.git   IN   NS   nsacme.example.org.
    ; etc.

(Or am I just particularly slow today? :-))

Kind Regards,
Dominik

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to