Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

> Like? For what price?

If you own example.com, you can delegate to dnsauth.example.com for $0 (or simply the price of a Internet-facing machine that has DNS open).

Say you want a cert for www.example.com. LE will check for ownership by looking up _acme-challenge.www.example.com. Instead of having a TXT record with the nonce, _acme-challenge.www is actually a CNAME pointing to _acme-challenge.www.dnsauth--where the TXT nonce lives.

The DNS daemon that is authoritative for dnsauth can be the traditional BIND, or other software:

* https://github.com/joohoi/acme-dns

This is often called 'DNS alias' mode:

* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...

* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...



I did not ask "how", I wished to know who supports a DNS service like that and for what price.


> I did not ask "how", I wished to know who supports a DNS service like that and for what price.

And as I stated in the very first sentence, it is self-serve:

> If you own example.com, you can delegate to dnsauth.example.com for $0 (or simply the price of a Internet-facing machine that has DNS open).

We do this at work: our main registrar does not have a restricted API, so we have a sub-domain that lives on a DNS server in our DMZ. Internal ACME clients update the desired TXT records when asking LE for a cert.

The cost is the price for keeping a VM running and updated, which for us is minimal since it is on our private cloud.


Any DNS service which allows you to create a CNAME RR supports it. You delegate the subdomain to any DNS server you wish.

This isn't some special "Let's Encrypt DNS forwarding mode" that DNS providers have to explicitly support. It's simply part of "how DNS works".


> Any DNS service which allows you to create a CNAME RR supports it.

And which of those also have an API that is supported by Certbot?

I would really like names where a setup like this has been tested and works.


> And which of those also have an API that is supported by Certbot?

Certbot allows for hook scripts, and you can use a utility that can talk multiple APIs:

* https://github.com/AnalogJ/lexicon

> I would really like names where a setup like this has been tested and works.

The guy who runs BSDCan and PgCon uses it for his personal stuff as well as FreshPorts.org, etc:

* https://dan.langille.org/2017/05/31/creating-a-txt-only-nsup...

* https://dan.langille.org/2019/02/01/acme-domain-alias-mode/

He used acme.sh, though I'm more partial to dehydrated:

* https://github.com/dehydrated-io/dehydrated/wiki/example-dns...

We use it at work, but I don't want to dox myself. :)


The parent stated that you can run your own DNS server temporarily for the cost of the hardware to run the server and shut the DNS server off after the certificate has been issued. The cost is basically free.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: