Acme-dns for DNS validation

(Dan) #1

I played with Caddy a little bit a while back, but it didn’t support DNS validation for certificates at the time, so I didn’t do much with it. I see it’s since grown to support DNS with a number of hosts, including Cloudflare, which I could use. What I’d really like to see, though, is support for acme-dns, a limited-purposes DNS server (intended to be self-hosted) that’s designed to serve only the TXT records that ACME uses as challenge tokens. This would give a few advantages over the existing implementation:

  • You could use DNS validation with just about any DNS host, as long as you’re able to set a CNAME record–no need for your main DNS host to have a supported API.
  • Because of the above, you could get wildcard certs with just about any DNS host as well.
  • Security. Cloudflare’s API credentials, for example, are virtually omnipotent. If an attacker were able to obtain them, he would have complete control over your DNS and could even (if desired) steal your domain. By contrast, the API credentials for acme-dns would only allow the attacker to issue a cert for your domain–still bad, of course, but nowhere near as bad.

There’s a basic implementation of support for acme-dns in, but it requires the user to manually do most of the work in advance. A more comprehensive implementation is available as a certbot plugin (also implemented in go). For this, the only manual prep work needed is setting up a suitable CNAME record; the plugin handles the rest of the headaches.

Any chance of getting support for this API integrated into Caddy?

(Matt Holt) #2

Instead of extending Caddy, you’d probably want to extend our lego library: - which is what we use for ACME protocol. I imagine it’d be just another DNS provider like the existing ones.