It is not necessary to use the web/API server for DNS-01 challenges; I use them all the time and don't have either of those enabled. DNS-01 can use a variety of protocols for adding/removing the necessary TXT records, and if you choose the RFC2136 protocol you can communicate directly with the pdns auth primary server and use its built-in controls to restrict updating in various ways. If you need more flexibility in restricting updates you can add a Lua script which validates the incoming requests.
On Mon, Jul 8, 2019 at 5:43 AM Dominik Menke <d...@digineo.de> wrote: > > Hi, > > I'm currently running pdns 4.1.1 authorative server (from Ubuntu 18.04 > repositories) in master/slave mode, and manage my zones via BIND backend > (using our own DSL, dnsgit [1]). > > To ease future TLS deployments, I'd like to use something like lego [2] > to get certificates from Let's Encrypt using the dns-01 challenge [3]; > which requires me to enable the web/api server. Issue #2400 [4] suggests > that I'd also need a non-BIND backend. > > My primary questions now are: > > 1. How do I restrict API access to only add/remove TXT records for > _acme-challenge labels? The docs mention an ACL ("the default ACL > before 4.1.0 allows access from everywhere" [5]), but it seems to > only be cabable of whitelisting CIDR lists for incoming requests > ("webserver-allow-from"). > > 2. Given I set "launch=bind,gsqlite3", how does PDNS handle updates? I'd > like to see API patches going only to the SQLite DB, and leave the > BIND zone files untouched. Is that doable? > > A collegue of mine suggested delegating _acme-challenge subdomains to a > dedicated DNS server, like acme-dns [6], but that still requires a bunch > of CNAME records for some (most?) of our A/AAAA records (plus a separate > server/IP just for ACME challenges)... > > I'd be grateful for any input. > > Kind Regards, > Dominik Menke > > > [1]: https://github.com/digineo/dnsgit > [2]: https://go-acme.github.io/lego/dns/pdns/ > [3]: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge > [4]: https://doc.powerdns.com/authoritative/http-api/index.html#webserver > [5]: https://github.com/PowerDNS/pdns/issues/2400 > [6]: https://github.com/joohoi/acme-dns > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users