[dnsdist] dnsdist and Let's Encrypt (ACME)
[I believe I've checked the available documentation, and found nothing. Sorry, if I missed it.] My dnsdist setup (DoT and DoH) uses a CAcert certificate and it works fine. Now, I would like to move to Let's Encrypt but I do not see how to make it work from dnsdist. HTTP challenges? I don't think there is an ACME client in dnsdist. DNS challenges? I don't really want to switch my zones to a dynamic setup. Is there an obvious solution I've missed? ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] dnsdist and Let's Encrypt (ACME)
> On 15 Sep 2019, at 10:40, Stephane Bortzmeyer wrote: > > [I believe I've checked the available documentation, and found > nothing. Sorry, if I missed it.] > > My dnsdist setup (DoT and DoH) uses a CAcert certificate and it works > fine. Now, I would like to move to Let's Encrypt but I do not see how > to make it work from dnsdist. > > HTTP challenges? I don't think there is an ACME client in dnsdist. > > DNS challenges? I don't really want to switch my zones to a dynamic > setup. > > Is there an obvious solution I've missed? > __ The acme.sh script has a standalone mode, if you have port 80 open: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert#2-standalone-mode Regards, Andrew Dr Andrew Nimmo andrew.ni...@gmail.com ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] dnsdist and Let's Encrypt (ACME)
On Sun, Sep 15, 2019 at 12:20:46PM +0200, Andrew Nimmo wrote a message of 72 lines which said: > The acme.sh script has a standalone mode, if you have port 80 open: Thanks, I forgot about that (and, indeed, port 80 was available). So I did: certbot certonly --standalone --domain doh.bortzmeyer.fr to have the initial certificate. Then, I configured dnsdist to use /etc/letsencrypt/live/doh.bortzmeyer.fr/fullchain.pem and then I set up this for the future renewals: certbot renew --standalone --deploy-hook /usr/local/sbin/restart-dnsdist Thanks again. ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] dnsdist and Let's Encrypt (ACME)
>certbot renew --standalone --deploy-hook >/usr/local/sbin/restart-dnsdist There is no need to restart dnsdist. /usr/sbin/dnsdist -e 'reloadAllCertificates()' is sufficient Winfried ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] dnsdist and Let's Encrypt (ACME)
> On Sep 15, 2019, at 1:40 AM, Stephane Bortzmeyer wrote: > > DNS challenges? I don't really want to switch my zones to a dynamic > setup. For places where adding or changing http was cumbersome or impossible, I setup a single dynamic zone just for the acme process. From the “real” zone you can CNAME the challenge name into the dynamic zone, so you don’t have to switch your “real” data to be managed dynamically. Ask___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] Logging a sample of queries
On 06/09/2019 10.07, Jacob Bunk Nielsen wrote: I want to log a sample of our DNS queries to dnsdist. We run dnsdist 1.3.3 under systemd. I have tried: addAction(ProbaRule(0.01), LogAction()) I would expect this to log ~1/100 of our queries. But there's obviously a bug in the docs for dnsdist because LogAction() always require at least one argument. I couldn't find a good place to fix it and make a pull request. Should I make a github issue? I found the place to update the documentation: https://github.com/PowerDNS/pdns/pull/8298 (already merged, nice!) I'm almost certain that I can do it through a remoteLogger and RemoteLogAction, but I'd much rather just log locally to stdout. I still haven't found a good way to do that. Best regards, Jacob ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
