Comment by itintheory

8 days ago

I'm really excited for this. We moved 120+ hand renewed certs to ACME, but still manually validate the domains annually. Many of them are on private/internal load balancers (no HTTP-01 challenge possible), and our DNS host doesn't support automation (no DNS-01 challenges either). While manually renewing the DCV for ~30 domains once a year isn't too bad, when the lifetime of that validity shrinks, ultimately to 9 days, it'd become a full time job. I just hope Sectigo implements this as quickly as LE.

18 comments

itintheory

arccy 8 days ago

Note that you can delegate the _acme-challenge subdomain to a validation-specific server or zone, so a different server that supports automation if you can't / don't want to change your main DNS provider.

https://letsencrypt.org/docs/challenge-types/#:~:text=This%2...

9dev 8 days ago

For the love of god, switch to a DNS provider with an API. Whatever legacy behemoth you’re working with doesn’t justify a gap this wide.

eichin 8 days ago
What open source DNS servers have an API? (I saw someone elsewhere in the thread talking about doing this with dnsmasq, but it sounded like they'd cobbled something together, rather than the software handling it.)
- skinner927 8 days ago
  
  BIND 9, for starters
  https://datatracker.ietf.org/doc/html/rfc2136
- aragilar 8 days ago
  
  I personally wouldn't use dnsmasq for this (as its far more suited as a recursive server and DHCP provider with some basic authoritative records, rather than an authoritative-only server), but every open source authoritative DNS server worth using about has RFC 2136 support.
- quicksilver03 8 days ago
  
  PowerDNS has an API which is working pretty well, I've been using it to generate ACME certificates since a few years and I also built a DNS hosting service around it.
amluto 8 days ago
Name one that doesn’t have an AWS-style per-query cost.
(There might well be a nice one, but I haven’t found it yet.)
- toast0 8 days ago
  
  If it's for a business, I would contact them to see if they have a commercial offering, but I think the Hurricane Electric Free DNS might actually fit.
  https://dns.he.net/
  
  1 reply →
- zufallsheld 8 days ago
  
  Hetzner does not charge any money for their dns service and they have an api.
  
  3 replies →
- nfredericks 8 days ago
  
  Might be obvious, but Cloudflare
  
  2 replies →
- radiator 8 days ago
  
  Hetzner DNS
- jcgl 7 days ago
  
  desec.io