lego icon indicating copy to clipboard operation
lego copied to clipboard
verified publisher icon go-acme

Support for provider: Self hosted DNS API

Open mimi89999 opened this issue 3 years ago • 4 comments

Welcome

  • [X] Yes, I've searched similar issues on GitHub and didn't find any.
  • [X] Yes, the DNS provider exposes a public API.
  • [X] Yes, I know that the lego maintainers don't have an account in all DNS providers in the world.
  • [ ] Yes, I'm able to create a pull request and be able to maintain the implementation.
  • [X] Yes, I'm able to test an implementation if someone creates a pull request to add the support of this DNS provider.

How do you use lego?

Binary

Link to the DNS provider

https://github.com/xivlo-sysadmins/dns-api

Link to the API documentation

https://github.com/xivlo-sysadmins/dns-api

Additional Notes

Hello,

I wrote this simple DNS API https://github.com/xivlo-sysadmins/dns-api with a Certbot plugin because of the limitations of RFC2136. I couldn't find any good existing API for that. If there is already an API other than RFC2136 for that, I can modify my server to use it.

mimi89999 avatar Feb 22 '22 08:02 mimi89999

because of the limitations of RFC2136

Hello, what are those limitations?

ldez avatar Feb 24 '22 02:02 ldez

because of the limitations of RFC2136

Hello, what are those limitations?

Mainly that it doesn't allow restricting a client to a single subdomain without requiring the creation of a separate zone. The DNS server must also support RFC2136.

mimi89999 avatar Feb 25 '22 09:02 mimi89999

Have you looked into seeing if vinyldns might be a solution for your use case? It's a gonvernance and API layer that can sit on top of an existing BIND setup for example.

jhg03a avatar Feb 26 '22 06:02 jhg03a

because of the limitations of RFC2136

Hello, what are those limitations?

Mainly that it doesn't allow restricting a client to a single subdomain without requiring the creation of a separate zone. The DNS server must also support RFC2136.

bind9 supports RFC2136, and allows this:

update-policy {
    grant certbot. name _acme-challenge.www.example.tld. txt;
};

restricting users of the "certbot." TSIG key to the www subdomain, as I understand it.

Also, if you're writing your own API, why not make the API compatible with one of the existing lego plugins? Just use one where you can change the endpoint address via configuration option, like checkdomain, or dnsimple, or easydns, .... Or use the exec plugin with your own client shell script.

csarn avatar Jan 25 '24 11:01 csarn