search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.47k stars 431 forks source link

Add Technitium API support to lexicon #546

Closed renne closed 1 year ago

renne commented 1 year ago

lexicon is an abstraction layer for DNS provider APIs available via Python Package Index. I suggest to add the Technitium API as a provider to lexicon.

lexicon developer guide

ShreyasZare commented 1 year ago

Thanks for the post. I would recommend that you post this as a issue in the lexicon project itself to reach out to its developers.

Djelibeybi commented 1 year ago

Not Lexicon, but I just submitted a PR to include DNS API support for Technitium to acme.sh.

I've submitted a provider to Lexicon before, so if I can find some spare time, I'll see what I can do.

renne commented 1 year ago

@Djelibeybi lexicon support would be great for all the web-interfaces requesting Let's Encrypt certificates. Instead of the HTTP-challenge the DNS-challenge could be used (e.g. wildcard sub-domains).

Djelibeybi commented 1 year ago

@renne you can use Lexicon's existing ddns provider with Technitium. To do this, add a TSIG key via Settings -> TSIG. I recommend using a simple key name and letting Technitium generate a strong secret for you. Leave the algorithm as HMAC-SHA256 too.

You then need to allow both zone transfers and dynamic updates for Lexicon using that TSIG key. If you can limit the source IP addresses that would be good. On the Dynamic Update page, you need to specify the domain name as *.domain.com and the record type can be limited to TXT

When running Lexicon, the --auth-token parameter is hmac-sha256:lexicon:<shared_secret> and the --ddns-parameter is just the IP address of your Technitium server.

ShreyasZare commented 1 year ago

@renne you can use Lexicon's existing ddns provider with Technitium. To do this, add a TSIG key via Settings -> TSIG. I recommend using a simple key name and letting Technitium generate a strong secret for you. Leave the algorithm as HMAC-SHA256 too.

You then need to allow both zone transfers and dynamic updates for Lexicon using that TSIG key. If you can limit the source IP addresses that would be good. On the Dynamic Update page, you need to specify the domain name as *.domain.com and the record type can be limited to TXT

When running Lexicon, the --auth-token parameter is hmac-sha256:lexicon:<shared_secret> and the --ddns-parameter is just the IP address of your Technitium server.

Yes, dynamic updates is a good option which is widely supported.

Just adding a clarification that you dont need to enable zone transfer for using dynamic updates as both are independent functions.

Also, in the dynamic update security policy, its recommended to use the specific domain name _acme-challenge.example.com instead of *.example.com and record type to TXT. This is so that if the TSIG key is leaked, then the attacker wont be able to update any other record except for the specified domain name and record type.

Djelibeybi commented 1 year ago

Zone transfer has to be allowed to enable Lexicon's ddns provider to list domain records.

ShreyasZare commented 1 year ago

Zone transfer has to be allowed to enable Lexicon's ddns provider to list domain records.

Ok good to know that. In that case it would be good configure TSIG key for zone transfer too if that is supported by Lexicon to prevent anyone from doing zone transfer.

SlothCroissant commented 2 weeks ago

FYI - after working through this myself today, I documented the Lexicon DNS > Technitium process in the acme.sh wiki: https://github.com/acmesh-official/acme.sh/wiki/How-to-use-lexicon-DNS-API#4-using-technitium-dns-via-lexicon-ddns-api