Hacker News new | past | comments | ask | show | jobs | submit login

DNS providers and domain name registration companies are probably going to get pestered about API access for updating TXT DNS records now... :)

I never understood why DNS providers are so reluctant to offer standards-based access, like nsupdate(1). It's easy to set up, it can do everything, it's secure, requires no custom anything and it just works.

One option is to run your own BIND instance configured however you like, and pay for one or more secondary DNS services to sync off it. You can even hide your own BIND instance from everyone outside your network and just point your NS records at the secondaries, if you’re worried about misconfiguration/DoS attacks/etc.

A perfectly viable option that is called 'shadow mastering'. dns.he.net lets you do it for free.

That sounds interesting. Would you know of any secondary DNS service headquartered in Europe? I always wanted to host DNS myself but since I lack a secondary DNS...

Unfortunately don't know any EU-based services, but all the big services have their actual servers available in most locations.

Only problems is when your main DNS is down, letsencrypt wont check your secondary, because they use Google DNS.

Take a look at https://github.com/AnalogJ/lexicon. It's a python library that provides standardized, programmatic access to DNS entries for a bunch of major providers.

I started using Cloudflare just for their DNS API - the dynDNS providers baked into my router's firmware went under so I started pointing the DNS record to my home dynamic IP with a cronjob that called CF's API.

It's this exact situation why I decided to write a tool that integrates with the CF API [0].

[0]: https://github.com/wyattjoh/cloudflare-ddns

You can also use our Terraform provider to manage DNS: https://github.com/terraform-providers/terraform-provider-cl....

We've got a number of open PRs as well to add other resources, e.g., load balancing, rate limiting, zone settings, etc. HashiCorp is currently reviewing/merging.

The good news is that most of the major providers already have integrations into clients like lego: https://github.com/xenolf/lego/tree/master/providers/dns

Use Terraform to manage records. They have support for lots of DNS providers (AWS Route53, Google Cloud DNS, Cloudflare, DigitalOcean, Azure DNS, DYN, DNSMadeEasy, NS1, UltraDNS, PowerDNS).

I switched to Terraform + CloudFlare for managing my DNS entries and I absolutely love it. No more messing around with web pages, change a line in a file and you're done. Fantastic.

Warning: I have made services inaccessible by deploying before making sure the git repo I was working from was the latest version. That's the downside of stateless deployments!

Did you do a deploy before a plan? ;)

We've all been there!

No I did the plan and then didn't look at it at all and did the deploy :P

Moving a domain between providers is quite disruptive.

Store your DNS records under revision control, and updating your records can be as simple as a "git commit && git push".


Shameless plug: https://github.com/StackExchange/dnscontrol is a provider independent way to manage your zones with a single dsl style file in source control.

That's pretty expensive, esp for side projects. I'm using a certbot extension for CloudFlare. Completely free.

I used to have a sliding scale of prices, based on volume, but my customers fall into two camps:

* Those with 1 or 2.

* Those with 10-40.

I suspect lowering the price(s) on a volume-scale would allow me to find customers with 40+ domains, but at the same time I'm happy where I am and seem to have a reasonable niche.

is it common for DNS hosts to provide delegated access at the granularity of individual records?

I don't want my webserver to have the ability to change my entire zonefile just so it can authorise certificates!

Not sure if it will work for your use case, but you can also CNAME the _acme-challenge record to a different domain (or a subdomain with a separate zonefile), dedicated only to authorizing certificates.

If you’re doing DNS-based auth you don’t need to renew the certainly on the web-server at all.

You can generate them on a secure host (or container) which pushes the certs to the machines which needs them.

In OVH you can restrict token access to individual resources (in this case one record) at token creation time.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact