label:question possible/useful to add the hetzner email interface as provider?

[Unostot]

Hello,

I've succesful using the existing Hetzner provider which under the hood parses the website and gets the needed information from there.

But there are three problems with this method:

1. If Hetzner changes the HTML code, the provider needs to be changed
2. With enabled two-factor authentication it is not possible to use this provider
3. There is only one password for the Hetzner account, no DNS API Token. So you have to provide the password for the login and with this password one can do anything with your whole account, not just a bit 'messing around with DNS'. Esepecially when you want to use it in an automatic way this is a far too large security risk If you e.g. some root servers at the same account.

Why a second provider? There exists an alternate way to make DNS changes at Hetzner, a so called Email-Interface. You can find an english description here: https://wiki.hetzner.de/index.php/E-Mail-Schnittstelle_Domain_Registration_Robot/en

In short: For each change of the zone file you have to send a PGP signed and optional encrypted email to the Hetzner Robot. In fact, the website generates such emails in the background, too.

No for a Lexicon provider one may need some additional things:

1. a copy of the current zonefile, since the complete zonefile needs to be sent when changes are requested
2. a PGP Key for signing, whose public part is provided to Hetzner for verification.

The provider would then parse the zonefile, to check if a wanted entry exists (especially for cleanup) and modify it accordingly. The provider would then use those information to generate a correct signed email, and sends this email to Hetzner.

That way it would be possible to modify the DNSrecords of a 2F protected Hetzner account via Lexicon.

Now my question: I'm planning on implementing such a tool for my private use. I'm not sure if the needed items (zonefile and PGP key) can somehow be "good" integrated as a lexicon provider. Also one has to keep the zonefile up to date, if one does also update other records in the web interface from time to time. In the long run I would use only a 'lexicon enabled' tool for all the DNS settings, when it works, so this would not be a big issue.

If you say, "this is possible", and perhaps be willing to discuss with me "best practices for such a special provider style", I would try to implement it as an Lexicon provider, instead of a quick and dirty "only for self usage" program.

But perhaps the way this interface works is just not possible to be implemented as an provider. In this case please tell me that this would not work out, so I don't need to try.

Long story short: This is for now a "think about" topic, if it is possible and useful at all. I'm not sure how much time I have available over the next months. So for now I'm just asking if such a provider has a chance to be part of lexicon or if it will just not 'fit in'

Greetings, Uno/Georg

[s4ke]

@Unostot any progress on your custom tool?

[Unostot]

@Unostot any progress on your custom tool? Hello,

since I did not receive any anwesrs until now regarding "possible or even acceptable with current way lexicon works", I did not look further into a new lexicon provider.

If you asking how my "non lexicon way of updating me LE certifcates via DNS auth" is progressing.... right now I'm using the existing hetzner provider which parses the website. After the last certificate renew I did not put much new work into it, since there was much work and even some spare time with my family ;)

But in the long run I think I will try the email interface. And by the time this works stable, perhaps some answers exist here, and then I can think about a new provider, who uses this interface...the hetzner account in question uses only some domains, so the security is not that much of an issue.

But some friends and colleague are not using lexicon right now, because they have additional servers and other stuff at their accounts, secured by 2FA...and I can understand that they won't deactivate this protection, just so that some script can parse the website every 90 days for renewing ;)

[s4ke]

I am currently working on a small python API that works with Hetzner TXT entries, and the E-Mail integration would be awesome. Once my api works with the E-Mail API, writing a plugin for e.g. lexicon would be easy.

I would be able to implement that, but I do not 100% understand their email robot documentation. Does it support PATCH operations or do I have to always send the whole zonefile?

[Unostot]

I am currently working on a small python API that works with Hetzner TXT entries, and the E-Mail integration would be awesome. Once my api works with the E-Mail API, writing a plugin for e.g. lexicon would be easy.

I would be able to implement that, but I do not 100% understand their email robot documentation. Does it support PATCH operations or do I have to always send the whole zonefile?

As far as I know there is now way to patch it. You always need to send the whole new zone file via email. So if you have not the latest zone file at the time you want to update some records with some tool, you would loose records which are not in the zonefile you send with this tool.

[adferrand]

Hello @Unostot! Sorry for the late reply ...

I will never cease to be impressed by the huge variety of APIs out there. Send a PGP-signed email to update a DNS zone, I would never expect that ;)

In theory, nothing prevents this approach to be implemented in Lexicon: nothing is saying that providers should necessarily use through HTTP REST APIs. Some of them uses XML-RPC for instance. So we can discuss around the design.

About your concern on passing files to Lexicon, I do not think it is a problem. The Google Cloud DNS uses this approach. More precisely, you can give it the path of a file, or the base64-encoded content of it.

What bother me a little more is the need to have an external file describing the DNS zone. It adds an external state to Lexicon that I would like to avoid. Is it possible to construct the DNS zone content inside the provider, and use that content to update the DNS zone through the email interface?

[Unostot]

What bother me a little more is the need to have an external file describing the DNS zone. It adds an external state to Lexicon that I would like to avoid. Is it possible to construct the DNS zone content inside the provider, and use that content to update the DNS zone through the email interface?

Well...as far as I see it, there is no way around to have the current zone file of the domain about to be changed. You need to send the complete new zone file via email. Now it depends on where you draw the line. You could eighter give the current zone file to lexicon, or make something like "ZONE_FILE_2_USE="path/to/zone.file" as an env variable. And the new provider would then examine this variable to get the zone file. Then it would add some records, or update them, and finally send the email...

From my point of view it is roughly the same if I give the path to this file inside the lexicon call or as an variable for the lexicon provider to be used later. Without a complete current zone file at hand one would send a wrong "new zone" via email and some records would be lost.

But to say it clear: There is no way via the mail interface to get an current zone file. So one needs always the current zone file and needs to send the updated complete new zone file. There is no such thing as "single record update".

Greetings, Uno

[Unostot]

apparently some issues solve themself, if you wait a while...

Hetzner is right now in the process of implementing a new DNS Api, and the email API seems then deprecated.

The new Api is described here: https://dns.hetzner.com/api-docs/

As far as I've seen there will now be a way to use API tokens and other nice stuff, so no need anymore to give full access to the Hetzner Account.

So, lets see....

Greetings, Uno

[schiederme]

The new API is released and integrated.

Maybe the issue can be closed.