DNS providers who easily integrate with Let's Encrypt DNS validation

Certify The Web (https://certifytheweb.com) supports a bunch of these - some natively and some via Posh-ACME (which is bundled in the install). I'd go through and add them but it feels somewhat redundant and will start to make the table look pretty crowded.

3 Likes

IMHO, this chart should note two more columns:

  • API Security. On the vendor's platform, can the token be locked-down to only DNS operations, or is the token "dangerous" and can control the entirety of the account -- which spans things other than DNS.

  • Minimum recommended wait time. Many vendors use internal caching within their applications, which is independent of TTL. e.g. Their DNS systems will query an internal cache with a database failover; so if you update a record only the database is affected and the internal cache must time-out or have a manual flush (if that is supported), before the new record and TTL hits their DNS systems. I have experienced several providers that will have a 5-15 minute wait times for a 60s TTL to be updated.

5 Likes

I love the sentiment of having this. But "limited to DNS" or not doesn't really cover the range of granularity that some providers offer as far as token permissions. For some, there's no difference between "limited to DNS" and not because they're a DNS-only provider or that's all you can manipulate via the API anyway. Some allow limiting access to specific domains or zones. Some can even limit by record type (only TXT records). With OVH, it's even possible to grant access to a specific set of pre-created TXT records. In any case, not sure how to translate this into a useful data column other than the equivalent of, "this provider offers some sort of granular token security."

Love this too. Too many people don't understand that the record TTL is completely independent of how long it takes for a record change request to get processed by whatever they've got running on the back end that pushes out to however many (possibly global) nameservers. Linode is historically bad on this front, though I think they've gotten better recently.

I also still long for a better way for clients to either check propagation (from the perspective of the ACME validator) before requesting validation or be able to retry failed validations without having to create a new order. But that's a topic for another thread.

7 Likes

Or if it costs more. AWS Route 53 has permissions granular to the "hosted zone" level, so you can give permisions to edit everything or nothing in a specific zone. So if you want to do a CNAME for acme challenges to a separate zone (since you don't want a token that controls all DNS on your web servers), you can do it, but creating that sub-zone is just like any other at $6/yr. There's a lot of nuance in how API permissions are given, certainly, and I could see it being useful to include somehow, but it's hard to describe succinctly

Some DNS APIs offer this, which is maybe something that could be included as well, but I suspect that most don't.

4 Likes

I hate that I 100% agree with you.

Namecheap was very bad on this a few years ago. I do not know if they have changed their system or not. Through a lot of trial and error, I was able to figure out their DNS is populated via a read-through cache to their primary datastore, and the cache had something like a 300 second validity period. A failed DNS-01 challenge would get a record stuck in the cache for "300" seconds, and then into their nameservers for the 60 second TTL (or whatever). IIRC, the minimum safe window I found was waiting 362 seconds -- 61 seconds to timeout the DNS cache, and 301 seconds to timeout the backing datastore. For a large setup, this was unusable - so I migrated all those domains to an ACME-DNS instance.

Namecheap DID have a decent security minded API though - you could create a secondary account and delegate DNS to that. I don't think it had much granularity back then, but I would not be surprised if that improved. They were one of the few Registrars that allowed an API token to only handle DNS - and not give full control over all account functions, which was the status quo at the time. I actually used them for my own domains because of that feature alone, but then migrated to Cloudflare as acme-dns solved all my security and timeout needs.

4 Likes

Yeah, NameCheap is my current preferred registrar after moving away from GoDaddy a while ago. But I host DNS elsewhere. Their "minimum spend to get API access" thing also still bugs me.

4 Likes

Might be getting into the weeds, but perhaps we could come up with some sort of scoring/grading system for API security? Something like "API Security Score (0-5)" where 0 means your API credential is all powerful and there's nothing you can do about it and 5 means you can limit it to both specific zones and record types? It might not even need that many options.

5 Likes

How about starting with 0 = no API, everything needs to be done manually in a web UI or by creating tickets for customer service? Assigning -1 to that would also be ok for me :wink:

4 Likes

Hah, I didn't think those providers were allowed in this list at all. :stuck_out_tongue:

4 Likes

On the flipside I suppose 11 could be that the DNS reads your mind and predicts your needs with absolute integrity. :crystal_ball:

In all honesty though, I think you guys are onto something. This sounds a bit like the CVSS, but in reverse.

4 Likes

Thank you OP for this, my winning combo is Freenom + LuaDNS + acme.sh !

2 Likes