I have a few questions about DNS-01 and acme-dns that I haven’t been able to figure out from RFCs and docs.
I’ve used acme-dns the normal way for several years, and am now exploring some advanced usage of the DNS-01 challenge.
Context: I have a custom client that doubles as a certificate manager and loader for “infinitely scalable” domains. I finished porting from acme-v1 to acme-v2; HTTP-01 works great. I am looking at a DNS-01 support via acme-dns (or something else).
I can’t find this in the RFC. Is it possible to use a standard DNS entry across multiple domains to delegate challenges to a single server?
Instead of having each domain point to a unique record, is it possible to delegate all this to a specific server, and then delegate?
What I would like to support, is having domain owners simply enter a standard element for authorization in advance. This could be a single server, but would most likely be based on a template…
user enrolls domain by setting a specific dns entry
system validates dns entry. if it passes, domain is enrolled
system configures acme-dns and any other dns needs
system obtains certificate
The current flow of acme-dns requires creating an account, and updating the dns-record with that account’s relevant info. I’d like to push that level of interactivity/waterfall from the user into automated systems. Does this seem possible with the technical details of the DNS-01 challenge and DNS ?
_acme-challenge.example.com IN CNAME xxxxxxxxxx.acme-dns.example.com
_acme-challenge.example.net IN CNAME yyyyyyyyyy.acme-dns.example.com
_acme-challenge.example.org IN CNAME zzzzzzzzzz.acme-dns.example.com
That is to say, it's not a CNAME for the domain. It's the specific _acme-challenge record that is the CNAME and it points to the randomly guid FQDN on the acme-dns server which was generated at registration time.
The way acme-dns is written, it expects you to make a new acme-dns registration for each name in a cert (not counting wildcards which use the same registration as the non-wildcard version). So each name will need a distinct CNAME created that can only be known post-registration.
So your typical cert that contains example.com and www.example.com would end up with two registrations and two CNAMEs pointing to different FQDNs like this.
_acme-challenge.example.com IN CNAME xxxxxxxxxx.acme-dns.example.com
_acme-challenge.www.example.com IN CNAME yyyyyyyyyy.acme-dns.example.com
Ultimately, this means your user-flow has to look more like this:
User declares what names they want in a cert
System creates acme-dns registration for each name
System informs user what CNAME records to create based on registration results
It doesn’t seem like acme-dns would be terribly helpful for your certificate manager. The way I read your post, you are fighting the structure and indirection that it imposes on you. Wouldn’t things be simpler if you just hosted your own authoritative acme.example.com. zone, and directly updated that?
It also means you could do this sort of pattern for the initial user setup (though I recommend against it, because you are potentially going to hit the maximum length of a DNS name; a short random value would be more robust):
_acme-challenge.example.org. IN CNAME example.org.acme.example.com.
_acme-challenge.www.example.org. IN CNAME www.example.org.acme.example.com.
That's what I have bootstrapped so far. It is not working well for user-acceptance-tests, so I am trying to build support that does not use that pattern - whether using acme-dns or not.
To get around that, I tried auto-generating a pool of 1000 "accounts" and checking them out round-robin style for authorizations (I can switch domains after validation). That sort of worked, but having end-users enter the challenges left too much room for error.
Yes to all. Right now I am just bootstrapping/testing DNS-01 challenges with acme-dns, as I personally use that already. I am 100% open to handling DNS with a custom system. My concern is really about how the DNS-01 challenges are followed/processed.
The max count for a FQDN in DNS is roughly 253 characters (it's a little more complex due to the RFC really being about octets and labels and how things are counted, but let's assume it's 253 ASCII characters). I don't have a problem locking things down to a subset that big - the target audience for this tool is not likely to exceed 50 chars. The dns zones can run on 4+2 and 4+3 character domains too, to further minimize.
Let's Encrypt doesn't prevent you from doing anything, as long as it resolves. (And as long as you don't figure out a way to violate the subscriber agreement!)