I'd like to share with you some software I have been writing, and on which I would love feedback! Let me know what you think about the idea or if yo take it for a ride.
Excerpt from the Readme
Agnos is a single-binary program allowing you to easily obtain certificates (including wildcards) from Let's Encrypt using DNS-01 challenges. It answers Let's Encrypt DNS queries on its own, bypassing the need for API calls to your DNS provider.
Agnos leverages let's encrypt capability to follow DNS NS records. It requires you to add to your DNS zone:
An A (or AAAA) record pointing to the public facing IP address of the server on which agnos will run. On this server, UDP port 53 (the one used by DNS) should be open and free.
For each domain you will want to validate, a NS record for the corresponding _acme-challenge sub-domain, indicating that agnos should be used as a name server for this specific domain.
Interesting idea, so my interpretation is this is an ACME client which is also a dynamic DNS service and you point your _acme-challenge records as NS to the same system running the acme client? This seems somewhat similar to the dynamic http listeners some clients use for self-hosted http challenges, but going via DNS instead.
You'll probably already know about acme-dns, which is a dynamic challenge response service but with an extra API layer so your acme client and the dns service are not co-hosted. I built a cloud version of that for my customers but it still requires the standard acme-dns API flow.
DNS challenge validation is indeed a fundamental problem, great to see new ideas!
You are exactly right! The idea is indeed very similar to acme-dns but "simpler". In a way agnos is acme-dns but for a couple of users (me and two friends are sharing a dedicated server), with all the configuration in one place. (I even tried to put the private keys as strings in the config file at some point.)
This document therefore updates the core DNS protocol specifications
such that support for TCP is henceforth a REQUIRED part of a full DNS
protocol implementation.
In particular, Let's Encrypt's DNS resolver will try to connect over TCP in a number of cases.
This is my first time trying to read Rust, but I suspect there may be other DNS specs that aren't being followed as well, that might make this not work in some cases. In particular, I'm not sure how well this handles EDNS, DNSSEC, or other "newer" things like that. DNS is much more complicated than it seems like it should be. It may be, though, that this is good enough for many use cases, and I'm excited to see more DNS-based challenge client options out there.