original post: DNS providers who easily integrate with Let's Encrypt DNS validation
I was experimenting different free DNS hosting providers that have API support, and below is my testing result.
Requirement: I want to CNAME _acme-challenge to a separate zone (e.g. _acme-challenge.test.example.com CNAME to _acme-challenge.test.acme-dns01.example.com, and acme-dns01.example.com is a delegated zone), so that I can scope the API key to this zone only.
ref: A Technical Deep Dive: Securing the Automation of ACME DNS Challenge Validation | Electronic Frontier Foundation
The API key cannot be scoped. As long as you have the key you have full access to ALL resources, not limited to DNS. To mitigate this you would need to create a new account specifically for acme-dns01.example.com. However even doing so this still does not prevent a malicious user having the key to create resources under this new account.
You simply cannot add subdomain acme-dns01.example.com to cloudflare. It only allow you to add root domain example.com. Unable to delegate domain means you cannot scope the API key to limit your acme client access. The API key will have to access to your full zone, which you want to avoid. (And in this case you would not need to CNAME _acme-challenge too.)
(Note: Subdomain Zones (LTZ) is only available in Enterprise Plan, which you need to contact a sales and no standard pricing.)
It meets all the requirements. You can create a delegated subdomain, API key can be scoped too, however the documentation is insufficient on how to create and scope the API key. And there is totally no documentation on how to destroy the key. At last I have to visit the API catalog directly on finding the required API to destroy the key.
It also meets all the requirements. Easy to use. I would give it almost full marks. There are still areas of improvement, but these are not blockers.
- You need to find the key ID to use the API, however the key ID can only be found in the confirmation dialog when you press the "Delete" button. (Of course you will cancel the delete dialog after figuring out the key ID)
- Scoping the API key requires direct API access, which means that you need to create another API key and granting this API key with "Manage Tokens" privilege. Then you will use this "uber API key" to call with key scoping API to scope the API key you will use in your acme client.