← Back to context

Comment by throw0101a

3 hours ago

> I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone.

Depending on your DNS provider, it may be possible to narrow the permissions to allow only updates of a particular record. Route53 as an example:

      {
         "Effect": "Allow",
         "Action": "route53:ChangeResourceRecordSets",
         "Resource": "arn:aws:route53:::hostedzone/<ZONE-ID>",
         "Condition": {
            "ForAllValues:StringEquals": {
               "route53:ChangeResourceRecordSetsNormalizedRecordNames": "_acme-challenge.<SUB>.<DOMAIN>.<TLD>"
            }
         }
      }

* https://github.com/acmesh-official/acme.sh/wiki/How-to-use-A...

BIND 9 example:

* https://dan.langille.org/2020/12/19/creating-a-very-specific...

You can also point the hostname that you wish to issues certs for to another (sub-)domain completely via a CNAME, and allow updates only for that other (sub-)domain:

* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...

* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...

4 comments

throw0101a

Reply
justin_oaks  3 hours ago

Yes, I see that AWS Route53 can limit credential scope. That kind of thing helps a lot.

I've never heard of that CNAME approach for changing the validation domain. That looks like a viable solution since it requires a one-time setup on the main domain and ongoing access to the second (validation) domain.

  • throw0101a  2 hours ago

    > That looks like a viable solution since it requires a one-time setup on the main domain and ongoing access to the second (validation) domain.

    At my last job we deployed a special sub-domain for that purpose (dnsauth.example.com) and manually created CNAMEs on our main (sub-)domains to point to it.

    We then deployed a single (no-HA) externally exposed BIND server with a bunch of scripts that folks could connect to (we had deploy hooks scripts for users/developrs). Nowadays there even purpose-build DNS servers for this purpose:

    * https://github.com/acme-dns/acme-dns

  • radiowave  18 minutes ago

    My experience has been that CertBot doesn't play well with CNAME delegation, but it's probably very situational, like depending upon which DNS hosting provider plugin you're using.

    My solution was to give up on CertBot and use dehydrated instead. This did require me to come up with a script to make the necessary API call to the DNS hosting, which dehydrated will then run as necessary.