This has been answered to some varying degrees in some specific questions around the forum where people confuse Google Domains DNS with the Google Cloud DNS, but I figured I’d ask more generally and to the point.
Does anyone know of any kind of API or program for domains registered with “domains.google.com” to do the DNS queries that would be reqired soon for the wildcard certificates under ACMEv2?
I’m aware that you can manually enter the DNS challenges as TXT records, but I believe that you need to update those whenever your certificate expires, meaning that I would have to go in rather often and change the challenge strings. I’d also like to avoid setting up my own DNS server to handle these requests.
I’m afraid that Google Domains does not yet support API that allows you to automate or modify existing dns records on the domain’s settings. However, if you’re referring on adding TXT records from ACME v2, you may follow the steps below:
Login to Google Domains page.
Click DNS tab.
Scroll down to Custom resource records.
Add these records for TXT records.
Type: Select TXT
Data: Txt records from ACME v2.
Please note that for DNS changes to take effect, it may take a propagation period of several minutes or up to 24-48 hours across the entire internet.
For further questions, feel free to reply to this email or visit the Google Domains contact us page.
I suppose that completely nerfs the possibility of having wildcard certs without manually entering the TXT records. I’m switching away from Google Domains, and I would recommend anyone else who wants automated DNS challenges or wildcard certificates to do the same.
That said, one can set up their own DNS server and then use that to do the challenges, but it’s something that I believe the DNS provider should handle with an API, honestly. Much less work for the end user.
This is most disappointing. I switched to Google Domains due to perceived confidence and trust in the Google brand and platform. I will move my domains elsewhere, where I can depend on a full feature set of API backed asset configuration tools.
It's actually not good for the end user, because these APIs rarely have safe permissions and ACLs. Most DNS APIs will allow the token to update A/MX records; many will even allow the token to transfer the domain away. This makes automatic renewal incredibly unsafe, as a compromised server would expose the plaintext token.
That’s actually how I ended up doing it - I set up a delegated nameserver running bind9 and just did a cname.
Still, for the basic user, any kind of API would be nice. It’s not the most simple thing to set up your own DNS server for some users. I would even go so far as to say that a limited API that just integrates with LetsEncrypt and doesn’t let you do anything else would be good enough for the purpose, and not changing every kind of record that exists (so limit API access to just the acme_challenge TXT record).
It’s also worth mentioning that some ISP’s prohibit running your own DNS server. Not as many as it used to be, but still. Some ISP’s are afraid of dumb users with amplification attacks.