Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What I've done is delegate (NS record) only the subdomain _acme-challenge to a standalone DNS-zone the webserver has write access to. This way it cannot escalate to changing root A/MX.


Oh that is really smart. Is there a way to build a simple DNS server into a certbot (or other client) plugin? That DNS server doesn't really have to be available outside of the verification time window.

DNS validation has been a thorn in my side for a while. Not only do I use DNS hosts that don't have APIs (like Google Domains), I also don't really want to give every web server access to my entire zone. That seems like a huge attack surface.


I already had Bind on the machine so it was logical to add the zone there and utilize nsupdate : https://gist.github.com/kronthto/893715f12cc0b1cda9fcfdbd8dc...

But what you are suggesting should work just fine aswell - there should be no need for a persistent service. Of course the service would need to run on port 53, so you actually cannot have another nameserver on that machine already, and also require CAP_NET_BIND_SERVICE .

A quick search lead me to this python project that could be an inspiration: https://github.com/pawitp/acme-dns-server


I run this one: https://github.com/joohoi/acme-dns It's super simple and has a REST API for updating records.


Me too, but I enabled nsupdate on that zone, while I wanted to keep my first-level domain safe.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: