I have been using GoDaddy for a couple of domains and as I like to use a wildcard cert for the services I offer (to friends and family) I have set up renewal using the GoDaddy plugin for certbot.
GoDaddy sent its customers a mail on 30 April to say they would shut down access to the API unless you had 50 domains or more, then shut the access off on the 1st of May.
This means, I need a new DNS provider less ethically challenged than that so I can keep on autorenewing a wildcard cert for my domain.
I would like to receive tips from letsencrypt users which DNS service is a good match for letsencrypt wild card certificates and DNS-based renewal. And I need it rather quickly thanks to GoDaddy when I just found out that a cert that needed to renew failed to do so for the last 30 days and has now expired (luckily for the most important service it is the backup)
There's a Wiki thread started back in 2019, but saw recent edits which might you might be interested in:
Also, you might want to mention the ACME client you're using, because e.g. Certbot only has a limited number of officially included DNS plugins. That said, the third party certbot-dns-multi DNS plugin uses the DNS integrations of the lego ACME client and it has a LOT of them. With other ACME clients YMMV, e.g. acme.sh also has a lot of DNS integrations, but I don't know about other ACME clients..
Personally I only have experience with running my own BIND and using certbot-dns-rfc2136 or free Cloudflare DNS (without their CDN services, just DNS) using certbot-dns-cloudflare. Which works quite nicely for me.
It's also possible to run your own instance of acme-dns by the way, which some users use as it also makes the dns-01 challenge a little bit safer compared to the ACME client having access to an entire DNS zone.
Well thank you. For me, the easiest would be to move to another registrar that included a DNS that integrates with letsencrypt (and I can of course migrate my remaining certbot using services to acme.sh or something else).
I definitely want to ditch GoDaddy. I mean, sending an email on 30 April shutting down access on 1 May is one of the worst behaviours I have ever experienced. So only changing a DNS provider and still paying GoDaddy is not an option.
I don't have experience with their registar product, but I believe Cloudflare is a DNS registar too
But the thread I mentioned would provide enough options I believe. Note that for many there are also third party plugins available, but they're of course not guaranteed to be stable/maintained et cetera. You can check out their Github repo's of course though to look how well maintained they are. Note that a lack of recent commits doesn't necessarily mean the plugin/code is bad: it might be simple enough to be without bugs and issues.
@saudiqbal But even then OP wants to change registars. So if they do, they might as well choose a registar with DNS zone API features that wouldn't necessitate running your own acme-dns instance (which probably is the safest).
I just want to share a warning about Cloudflare as they are also a registrar - make sure to use an API key that is limited to the DNS settings only, so your API key can not be used to steal domains or otherwise control your account if there is a server compromise.
This is not a concern limited to Cloudflare, and they do offer some of the best security measures in the industry.
@gctwnl there's no special reason to have your domain registrar also be your DNS host, it's just simpler to have it all managed by one organization.
For some countries (I'm in Australia) country specific tlds are largely limited to local registrars but the local registrars DNS facilities are very often outmatched by companies that specialize in DNS hosting.
Yes, they have slowly been adding CCTLDs and the new TLDs. I think they basically add on TLDs as they negotiate terms with the TLDs registry. Keep in mind, Cloudflare provides registrar operations at their wholesale cost.
They only require that for onboarding/transfer-in. You can switch your NS afterwards if you want.
In addition: the steps I had to take to move with zero DNS downtime:
Move the DNS from GoDaddy to Cloudflare (export from GD, import in CF, set the nameservers at GD to the CF ones)
Transfer the domain from GD to NameSilo
Edit the NameSilo domain records (it complains about the DNS not being used, but that can be ignored). No import here, but has to be done by hand.
Set the nameservers to the ones from NameSilo
Now the NS at Cloudflare can be removed (or kept as backup)
After that, you have moved domain+DNS from GoDaddy to NameSilo without at any time your domain telling the world via the DNS wrong things about your domain (e.g. not having MX records, or DMARC settings).
I don't think that's right. At the very least it's wrong for free-tier accounts.
Their "Custom Nameservers" option just seems to be a way to put vanity names on the assigned Cloudflare nameservers and requires a paid Business or Enterprise account.
The linked docs also imply you can use your own primaries as long as with Cloudflare as secondary. But that's also restricted to Enterprise accounts and seems to come with other caveats.
Sure but my point was anyone (in this case someone who supports .nl) can be your registrar, e.g. you don't have to host your DNS with your registrar (as many/most people do).
This is incorrect. Cloudflare registrar offers at-cost domain registration as an exclusive benefit for domains that use Cloudflare nameservers. You can delegate child zones to other nameservers, but the apex zone must use Cloudflare nameservers. Changing them requires transferring the domain to another registrar. Transfer cannot be initiated during the sixty day transfer-lock period.
Whoa- you are right, at least now. I had several domains registered through Cloudflare but not on their DNS, and that seems to have either been allowed by a bug or policy change. Changing nameservers now requires a business plan on that account.
