acme-dns icon indicating copy to clipboard operation
acme-dns copied to clipboard

Published 20 hours ago verified publisher icon joohoi

Is it possible to configure without an NS record?

Open giorgiobazzo opened this issue 4 years ago • 11 comments

In interface on my domain controller don't have the option to add NS records. Is there any way around this?

Sem título

I found an option to create subdomains, could this solve?

Capturar

giorgiobazzo avatar Sep 18 '20 12:09 giorgiobazzo

You've two main scenarii:

  • use another DNS provider for polisoftware.com.br domain
  • use another domain to redirect any NS to acmedns, e.g. polisoftware-acme.com

In the second scenario, you can create CNAME like this: _acme-challenge.polisoftware-acme.com CNAME .polisoftware-acme.com

dereckson avatar Sep 21 '20 14:09 dereckson

I'm facing the same problem - my domain name registrar is my DNS nameserver, and they don't have the option of adding an NS record for a subdomain. I'm not an expert on DNS (far from it), so I'm just trying to wrap my head around my options.

I think I understand option 1: switch the root nameservers away from my domain registrar to a different provider that will let me create NS records for a subdomain.

I'm kind of lost on option 2. Could someone please elaborate?

Thanks

tal-zvon avatar Oct 29 '20 19:10 tal-zvon

I was trying to use this to automatically renew a letsencrypt wildcard certificate on an nginx server. If something like this is what you need, I have documented my solution in:

https://community.letsencrypt.org/t/how-to-expand-certificate-with-a-wildcard-subdomain/133925/5

I ended up using the API available at https://auth.acme-dns.io/register so I don't need to create these records.

In the future I will switch to google dns and try to run the api on my own server.

giorgiobazzo avatar Oct 30 '20 00:10 giorgiobazzo

Cloudflare offers free DNS hosting and proxying, so they are quite easy to switch to, they also offer NS records.

webprofusion-chrisc avatar Oct 30 '20 01:10 webprofusion-chrisc

Not easy to convince a company that owns 10 different domains that one of their domains needs to be hosted separately from the others, or that ALL of their domains need to move to a different provider, and then start a mass migration of DNS services. I'd rather not be responsible for that. I have enough on my plate.

I have successfully used auth.acme-dns.io during testing, but from what I understand, we're essentially giving auth.acme-dns.io the ability to verify that they own our domain, which means if they ever get hacked, the hackers can get issued valid certificates by a CA in our name. At that point, if they can figure out how to redirect traffic to our servers to their servers (MITM), they can give customers a valid certificate in our name, and show customers whatever website they want without any SSL cert warnings. Not ideal. Hard to convince a company to put that much trust in a different company, when we can run our own server with acme-dns on it. I'm just trying to figure out how to get it done with our current DNS provider's limitations.

tal-zvon avatar Oct 30 '20 14:10 tal-zvon

I agree with you @terminator14 , in my case, domains are not used for e-commerce, payments or any type of application where these issues should be taken more seriously, so I'm a little relaxed about that for now. In another scenario, I think I would migrate the domains to a service that offers the necessary registrations, or look for another way to automate the renewal of corringa certificates. There is also the possibility of not using wildcard certificates, where renewal automation is simpler and none of this is necessary.

giorgiobazzo avatar Oct 30 '20 18:10 giorgiobazzo

The way I understand it, @dereckson was suggesting to use a separate domain for the DNS delegation via NS records.

@giorgiobazzo could for example purchare the polisoftware-acme.com or any other domain and use nameservers that support NS records for that domain (cloudflare does, for example). Thus, the current DNS setup can remain largely in place. The domains that require the TLS certificates then point to polisoftware-acme.com via CNAME records. This avoids the significant trust issues that @tal-zvon correctly pointed out.

leggewie avatar Jan 16 '22 18:01 leggewie

I also have this problem, because our registrar also uses cpanel. (I can add any type of record, just not NS.)

I'm not a DNS expert. Is the need to add an NS record part of this tool's design, or is it a hard requirement in order to get the job done? In other words, is it possible that there is a similar acme dns tool somewhere that works in a different way, which does not need me to add an NS record?

lonix1 avatar Jun 14 '22 09:06 lonix1

@lonix1 if you are hosting acme-dns yourself you needs an NS record somewhere to point to it so that the DNS queries reach the service.

You can use the free hosted version of acme-dns (https://auth.acme-dns.io/register mentioned in the project README) or something like Certify DNS (https://docs.certifytheweb.com/docs/dns/providers/certifydns) which is a (paid) service my company operates. The main advantage is simple setup and not having to host your own acme-dns server, the main disadvantage is you have to trust the service operator (not to disappear and not to auth their own certs for your domain).

webprofusion-chrisc avatar Jun 14 '22 09:06 webprofusion-chrisc

Thanks for explaining that an NS record is an absolute must. Now I understand.

Though I now realise I'm going in circles. I wanted to use this tool because my registar/dns is rubbish (and so I can't use certbot's dns-01 challenge feature). But to use this tool, I need to be able to set an NS record with my registrar, which I can't do... because it's rubbish. :-)

lonix1 avatar Jun 14 '22 09:06 lonix1

@lonix1 cloudflare is quite good (and free) for DNS hosting - they are easy to move your DNS to without changing the registrar, then you can automate using any acme client.

webprofusion-chrisc avatar Jun 14 '22 13:06 webprofusion-chrisc