I have a server in DigitalOcean which is running the Burp Collaborator service. The main function this service provides is that responds to and logs DNS requests made to a wildcard domain.
In my case, the domain is like
mycollabserver.com and Collaborator responds to any DNS, HTTP, or HTTPS request made to
*.burp.mycollabserver.com. I would like to generate a wildcard certificate so I can make requests to
https://*.burp.mycollabserver.com. I understand that the only challenge available to me is DNS-01. This is proving difficult because the root domain has an NS record which points to the server so it can log DNS requests.
The 2 options I see for cert renewal are:
- Create a script which runs before validation to:
- Programmatically delete the NS record
- Wait for the change to propagate
- Do the DNS challenge
- Add back the NS record
- Run a DNS server "in front" of Collaborator which does conditional forwarding. Any request for
_acme-challenge*gets forwarded to
ns1.digitalocean.com. All other requests are forwarded to Collaborator
- I have not been able to track down example of how to do conditional forwarding based on the query (and not the domain) in any DNS server like bind or dnsmasq.
Are there other options for me? Will one of these work better than the other?