Are there any DNS providers that lets you beat the DNS-01 challenge without needing an API key?

I'm writing a web server software that I'm planning to (eventually) open source. One of its goals is to minify the amount of setup required by the programmer to get the server up & running (bare minimum boilerplate), as such, I'm trying to avoid having to issue & utilize API keys wherever possible, as that would add an additional step to anyone using my software.

Hence the question, are there any DNS providers that lets you beat the DNS-01 challenge without needing an API key/login to instruct it to host the DNS challenge file (eg by verifying my identity solemnly using the IP which my request to host the file is coming from)?

My server is already capable of beating the HTTP-01 challenge, but I want to add support for abstract/runtime generated subdomains & hence need the wildcard support of the DNS-01 challenge.

3 Likes

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

Perhaps by using this?

3 Likes

Well, you can still support on-the-fly generated subdomains without needing a wildcard (that's what Caddy does, for instance). Though certainly that can end up being unwieldy in some cases.

I'm not quite following your question; it seems weird to me that you're trying to have an easy out-of-the-box setup for users, but then force them to use your preferred DNS provider, whatever it is? I think the usual approach would be for your users to set up a CNAME or NS record from _acme-challenge on the DNS hosting their name to whatever DNS system you're using. Something like acme-dns as just suggested might be a good choice. I think what you're looking for is something similar to the approach used by agnos, where the delegation is to the same server as the web server, where the web server system also runs a DNS server that can handle answering the challenge.

4 Likes

I'd encourage you to think a bit about this requirement and what it would entail. An API key is simply a mechanism to authenticate a user or process. You're therefore asking for a DNS provider that will allow an unauthenticated user to create and delete DNS records. I don't think I need to elaborate further on why this would be an absolutely terrible idea.

And perhaps this is simply an unfortunate choice of words on your point, but I don't think anyone here is interested in helping anyone "beat" any of the challenges. Satisfy them, yes, but "beat" strongly suggests circumventing them.

4 Likes

OP said something about authentication by IP address.. However, that's of course not very secure..

2 Likes

If that existed wouldn't break the proof of control (and/or ownership) of the domain?
Basically anyone could do what they want to your DNS RRs.

3 Likes

Indeed not. Perhaps if it could be restricted to only creating or deleting TXT records in the form of _acme-challenge.<foo>.domain it might be OK, but it still seems like less than the BRs would assume for DNS control.

3 Likes

acme-dns is the most obvious but you ideally host that yourself (each org that wants to use it, not you), you could host an acme-dns instance for your users (as the acme-dns project currently does).

HTTP domain validation is your number one method (obviously, for a web server) and you should consider if a well established project like Caddy can't do something (magic DNS challenges) then you probably can't either.

Realistically an API key is the bare minimum that an actual DNS provider would require for updates to DNS records, otherwise someone could complete challenges on behalf of your domain. API keys are just not that hard to get, so you should just take the hit and use them. If you are looking to recommend specific DNS providers that are the least amount of hassle then Cloudflare and AWS Route 53 are probably among the simplest that offer API key scoping etc.

The "get out of jail" technique for DNS challenges is to CNAME each _acme-challenge record to a DNS zone that's going to answer DNS challenges for you (like acme-dns does) and that does mean any DNS service you control can then answer challenge responses if it knows which answers to provide and indeed I've built that before with Certify DNS (which is a cloud based implementation of the same endpoints/requests that acme-dns uses, but requiring API credentials). So, if you can tell your users which CNAME records to manually setup then subsequent DNS challenges resolving to a service you control could be used to answer challenges. You would need to host that forever, or you break their renewals.

3 Likes

I'm not aware of any DNS providers that allow edits without authentication by an IP whitelist.

That seems like it would be dangerous. Any software running on the server that can make HTTP requests could potentially hijack your DNS or solve challenges for someone else.

3 Likes

It's certainly not intended for internet-facing ACLs, but BIND allows configuring unauthenticated RFC2136-based updates using nothing but IP whitelists.

4 Likes

If self hosting the DNS is possible, that does sound rather appealing.

Are you saying I could just spin up a DNS server on port 53, port forward and fill in an IPv4 address in the "DNS-server" field on my domain registrars website (or something like that)?

I gave it a go, but it then complains that "The name server address is invalid" (currently testing on loopia.se ) - without even getting any requests from there services. Do I need a dedicated domain name (which in its turn then uses a 3rd party DNS) for this to work?

Thanks, is https://auth.acme-dns.io essentially a DNS that I can give to my domain registrar (and have it sit there permanently)? Like so:
image

Yes

No; you're looking for creating an NS record for _acme-challenge that points to the same hostname as the web server, so that the DNS requests for that name are delegated to that same server.

And "just spin up a DNS server" may be more involved than you're expecting. I highly recommend not trying to create a new server yourself, but using something off-the-shelf, as the DNS protocol is much more complicated than one would expect at first glance.

3 Likes

Is this it?


image

Unless thats what this does, I dont appear to be able to configure name servers for specific subdomains? On the "Name-servers" tab, I can configure name servers for the entire main domain name, but not independently for any subdomains.

Taking a peak at CloudFlare, they actually have a "NS" type. Im guessing that is what I actually want (not TXT, which I presume is for having there NS serve the value I enter as raw bytes)? It however, wont let me enter a IPv4 address here neither, complaining that my entered "Content for NS record is invalid".

Yes, you'd need a DNS provider that lets you set NS records, and you'd set it up for the _acme-challenge name to the same hostname as your main web server.

But as you're finding, this can get pretty complex and may not be the easy "minify the amount of setup" that you were initially looking for.

2 Likes

Just for clarification, no don't do that, read their instructions, twice.

If you are using a hosted service like acme-dns you will perform an initial registration against that service which will issue a CNAME record for you to create (e.g. _acme-challenge.something.yourdomain.com pointing to acb1234.somethingelse.theirdomain.com) and your ACME client will also save the registration credentials so it can authenticate against that service. You then create the CNAME record as requests so that your _acme-challenge record resolves to their service. Your subsequent ACME orders will post an update to that service so that they know which answer to respond with currently.

Honestly though, this seems redundant, I'd concentrate on getting http domain validation working automatically in your web server and forget DNS validaiton for now.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.