Hacker News new | past | comments | ask | show | jobs | submit login

is it common for DNS hosts to provide delegated access at the granularity of individual records?

I don't want my webserver to have the ability to change my entire zonefile just so it can authorise certificates!

Not sure if it will work for your use case, but you can also CNAME the _acme-challenge record to a different domain (or a subdomain with a separate zonefile), dedicated only to authorizing certificates.

If you’re doing DNS-based auth you don’t need to renew the certainly on the web-server at all.

You can generate them on a secure host (or container) which pushes the certs to the machines which needs them.

In OVH you can restrict token access to individual resources (in this case one record) at token creation time.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact