I have a few questions about DNS-01 and acme-dns that I haven’t been able to figure out from RFCs and docs.
I’ve used acme-dns the normal way for several years, and am now exploring some advanced usage of the DNS-01 challenge.
Context: I have a custom client that doubles as a certificate manager and loader for “infinitely scalable” domains. I finished porting from acme-v1 to acme-v2; HTTP-01 works great. I am looking at a DNS-01 support via acme-dns (or something else).
I can’t find this in the RFC. Is it possible to use a standard DNS entry across multiple domains to delegate challenges to a single server?
For example, I have these three domains:
With acme-dns, my DNS records look like this:
- example.com cname _acme-challenge 21fba1c9.acme-dns.example.com
- example.net cname _acme-challenge ca2e4ebabee3.acme-dns.example.com
- example.org cname _acme-challenge 4a06f6100c0a.acme-dns.example.com
Instead of having each domain point to a unique record, is it possible to delegate all this to a specific server, and then delegate?
What I would like to support, is having domain owners simply enter a standard element for authorization in advance. This could be a single server, but would most likely be based on a template…
- example.com cname _acme-challenge example.com.authz.acme-dns.example.com
- example.net cname _acme-challenge example.net.authz.acme-dns.example.com
- example.org cname _acme-challenge example.org.authz.acme-dns.example.com
The user-flow I am looking for is:
- user enrolls domain by setting a specific dns entry
- system validates dns entry. if it passes, domain is enrolled
- system configures acme-dns and any other dns needs
- system obtains certificate
The current flow of acme-dns requires creating an account, and updating the dns-record with that account’s relevant info. I’d like to push that level of interactivity/waterfall from the user into automated systems. Does this seem possible with the technical details of the DNS-01 challenge and DNS ?