I'd like to share with you some software I have been writing, and on which I would love feedback! Let me know what you think about the idea or if yo take it for a ride.
Excerpt from the Readme
Agnos is a single-binary program allowing you to easily obtain certificates (including wildcards) from Let's Encrypt using DNS-01 challenges. It answers Let's Encrypt DNS queries on its own, bypassing the need for API calls to your DNS provider.
Agnos leverages let's encrypt capability to follow DNS
NS records. It requires you to add to your DNS zone:
AAAA) record pointing to the public facing IP address of the server on which agnos will run. On this server, UDP port 53 (the one used by DNS) should be open and free.
- For each domain you will want to validate, a
NS record for the corresponding
_acme-challenge sub-domain, indicating that agnos should be used as a name server for this specific domain.
Interesting idea, so my interpretation is this is an ACME client which is also a dynamic DNS service and you point your _acme-challenge records as NS to the same system running the acme client? This seems somewhat similar to the dynamic http listeners some clients use for self-hosted http challenges, but going via DNS instead.
You'll probably already know about acme-dns, which is a dynamic challenge response service but with an extra API layer so your acme client and the dns service are not co-hosted. I built a cloud version of that for my customers but it still requires the standard acme-dns API flow.
DNS challenge validation is indeed a fundamental problem, great to see new ideas!
Wow, thanks for putting it so well.
You are exactly right! The idea is indeed very similar to
acme-dns but "simpler". In a way
acme-dns but for a couple of users (me and two friends are sharing a dedicated server), with all the configuration in one place. (I even tried to put the private keys as strings in the config file at some point.)
For those interested, acme-dns: GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
Keep in mind RFC7766:
This document therefore updates the core DNS protocol specifications
such that support for TCP is henceforth a REQUIRED part of a full DNS
In particular, Let's Encrypt's DNS resolver will try to connect over TCP in a number of cases.
Damn. Thanks for letting me know, I'll implement that as well.
This is my first time trying to read Rust, but I suspect there may be other DNS specs that aren't being followed as well, that might make this not work in some cases. In particular, I'm not sure how well this handles EDNS, DNSSEC, or other "newer" things like that. DNS is much more complicated than it seems like it should be. It may be, though, that this is good enough for many use cases, and I'm excited to see more DNS-based challenge client options out there.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.