Generic question about DNS providers & Caddy

My apologies if this does not belong here, but since I started using Caddy (sucessfully after spending quite some time figuring out how to use it with Docker labels), I have been going down a rabbithole and learned a lot about the essential building blocks of the web. Thank you for that.

I am suprised Caddy has plugins for certain DNS providers. My provider is Porkbun and Caddy “Just Works”, I did not need to declare a dns provider in my caddyfile.

But for other DNS providers, I understand you can use their API. Why would users want this? Caddy can already use 2 different challenges automatically. Do they not work with certain providers? I even saw a Godaddy dns plugin (deprecated?), I would expect the biggest domain provider to work with standards and not force their own API to be used.

Some DNS plugins don’t have full documentation (like where you can set the credentials or API key for GoDaddy? For Cloudflare it is well-explained).

I am just curious if all those provider-specific DNS plugins are a remnant from the past, even though some work in Caddyv2.

There’s 3 main ACME challenges. HTTP, TLS-ALPN, and DNS. Each have different situations where they make sense.

By default, Caddy enables the HTTP and TLS-ALPN challenges, because they require nothing extra from the user to work.

The HTTP challenge involves having an ACME CA make a request to your server on port 80 (the HTTP port) at a specific path, to prove that you own the domain (by serving a special file that only you could serve, proved by cryptographic operations). This usually works for the majority of users.

The TLS-ALPN challenge is similar, but works on port 443 (the HTTPS port). It’s a bit more complicated, but instead of serving a file, that value in the file is returned during the TLS handshake (the part where the client and server agree on a secret key to encrypt the connection) via some clever little extensions to the handshake. This is useful is you can’t expose port 80 for whatever reason (say, some other service is using that port).

And finally the DNS challenge, it doesn’t use any port. How it works is Caddy (if compiled with the relevant DNS plugin, and configured with credentials to connect to your DNS provider), will use the DNS provider’s API to set a special DNS record (a TXT record, whereas usually you’ve probably played with A or CNAME records, TXT is just another kind that just records a key-value pair of text) which contains that special value that the ACME CA expects, so then the ACME CA can do a DNS query to find that value on your DNS zone, to confirm that you indeed control that domain.

The main advantage to the DNS challenge is that your server doesn’t need to be publicly accessible on ports 80 or 443 (useful for some service you’re only exposing in your LAN, but want HTTPS for it), or if you need a wildcard certificate like *

Only the DNS challenge can be used to give you a wildcard cert. The reason for this is that the HTTP and TLS-ALPN challenge only proves that you own exactly that domain, i.e. only, and only one subdomain at a time. Those two challenges can’t be used to prove that you can control the whole DNS zone. (This is important cause you don’t want to allow some bad actor to issue certificates for domains they don’t control, cause then they could impersonate that server, etc.) The DNS challenge though, since you’re editing a record on the DNS zone, is enough to show that you have control over the whole DNS zone. So this proves that you control all the infinite possible subdomains matching *

This is explained in somewhat less detail here:

1 Like

Thanks so much for the extensive explanation. The article is helpful too.

This means, users have a choice. Using the DNS challenge (for example via the community supported plugin for a DNS provider) is their choice.
I got that all wrong: I thought if for example Godaddy is your dns provider, you need to use/you can only use DNS challenge via their API.

That is where I am wrong :slight_smile:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.