On 22/06/2021 12:33, Jan-Piet Mens via Pdns-users wrote:
For Letsencrypt protocol to generate certificate I have to enable zone
transfer in my powerdns.
I think you mean "DNS Updates" for Let's Encrypt dns-01, but I don't
believe these are possible in PowerDNS with the LDAP backend.
Possibly, although the OP was specifically testing AXFR.
Regarding the separate issue of DNS updates, the way I deal with this is:
1. I run a separate nameserver for Letsencrypt use only (say
"acme-ns.example.net")
2. For every domain I want a cert for (say "foo.example.com"), I
statically add an NS record in my main DNS, pointing at that server:
_acme-challenge.foo.example.com. NS acme-ns.example.net.
3. I create empty zone "_acme-challenge.foo.example.com" on
"acme-ns.example.net", with a random TSIG secret for DNS updates.
4. I give that secret to the server that wants to obtain a certificate.
It doesn't actually matter what nameserver you use for
acme-ns.example.net, because the data stored within it is completely
transitory. Even something with a RAM backend would be fine. I happen
to use bind9 because it was easy to set up; I didn't want to use a
database, and the powerdns bind backend doesn't support DNS updates
<https://doc.powerdns.com/authoritative/dnsupdate.html>.
With this approach, there's no risk that the target server could ever
modify any record in the production DNS, accidentally or maliciously.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
