Hi Brian,
On 7/8/19 12:17 PM, Brian Candler wrote:
To ease future TLS deployments, I'd like to use something like lego
[2] to get certificates from Let's Encrypt using the dns-01 challenge
[3]; which requires me to enable the web/api server.
Or you can use dynamic DNS updates with TSIG:
Thanks for the pointer(s), I will have a look.
A collegue of mine suggested delegating _acme-challenge subdomains to
a dedicated DNS server, like acme-dns [6], but that still requires a
bunch of CNAME records for some (most?) of our A/AAAA records (plus a
separate server/IP just for ACME challenges)...
That's how I do it. However I stopped using CNAME, and switched to using
a single NS records to do the delegation to the separate server.
As a side benefit, the single NS record means you don't have to allow
for DNS replication delays. The one nameserver which accepts the
dynamic updates is also the one nameserver which Letsencrypt checks the
challenge/response against.
Sounds plausible.
Just for clarification, in your example.com zone, you have an NS record
pointing to your "challenge DNS server", i.e.
_acme-challenge IN NS nsacme.example.org.
right? What about subdomains of example.com? Won't they need an NS
record as well?
_acme-challenge.db IN NS nsacme.example.org.
_acme-challenge.git IN NS nsacme.example.org.
; etc.
(Or am I just particularly slow today? :-))
Kind Regards,
Dominik
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users