DNS Authentication with Microsoft DNS Server


So we have multiple internal servers that we would like to protect through the LE certificates. Almost all of the public servers are protected through the webroot authentication method and it works great. However, for the internal servers DNS based authentication looks like the only solution that could be done in an automated fashion. We use Microsoft DNS server as our external DNS and I couldn’t find any tutorial or hook that can be used with this setup. Has anyone any experience with using Microsoft DNS and generating LE certificates in an automated way. Any help will be greatly appreciated. I can read manual or code but just need a starting point as I can’t find anything on this topic here. Thank you very much.

DNS Verification Automated with ZeroSSL's Crypt::LE for Windows

Unfortunately I do not have access to Microsoft DNS server to run the tests, but if the command line interface (in the form of ‘dnscmd’) is available, then it should be doable. ZeroSSL client for example can be installed on Windows (it has been tested with both Strawberry Perl and ActiveState Perl). It has integration options allowing you to hook into the challenge process and the completion process (see details).

So, if dnscmd available, then you could add records with:

dnscmd [<ServerName>] /recordadd <ZoneName> <NodeName> <RRType> <RRData>

and remove them with

dnscmd <ServerName> /recorddelete <ZoneName> <NodeName> <RRType> <RRData>[/f]

Dnscmd docs.

That means for integration with this, you would just need to modify the code for “handle_challenge_dns” in the provided Crypt::LE::Challenge::Simple module and “complete” in the Crypt::LE::Complete::Simple module, by executing dnscmd from those (to add a record in the former and to remove in the latter). Executing the external commands in Perl is a very simple task.

I hope that might be helpful.


Thank you very much for the suggestion. This indeed look promising. The integration also looks quite simple. I am doing to try this (in three days, been on the road for an engagement) and will report back. Really appreciate your help.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.