Support for DNS challenge delegation

[francislavoie]

See https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone. It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server.

The DuckDNS plugin for Caddy directly supports this, via a configuration option to override the domain that Caddy passed it with the actual *.duckdns.org subdomain the user has control of: https://github.com/caddy-dns/duckdns#challenge-delegation

I suggest that we introduce support for this in Caddy (and therefore certmagic) by providing that domain override functionality at a higher level so that DNS plugins don't need to support this themselves.

This would probably be configured in Caddy in the TLS automation policy, on the DNS challenge config: https://caddyserver.com/docs/json/apps/tls/automation/policies/issuers/acme/challenges/ and in the Caddyfile it would probably be a new subdirective of tls, maybe dns_challenge_domain, and maybe a global option to go with acme_dns.

What this would do, if configured, is make certmagic make a libdns request to the configured DNS plugin with this domain override, instead of the domain Caddy actually wants the certificate for. This obviously requires the user to understand that they need a CNAME record as described above.

This feature would be particularly useful as a workaround for users who have domains with providers that either don't provide a DNS management API (e.g. Google Domains) or have really terrible APIs (namecheap). It's solved by pairing it with free DNS services like DuckDNS which support TXT records, or with DNS servers like https://github.com/joohoi/acme-dns (which is purpose-built for making challenge delegation easy).

(Note that we don't have a DNS plugin that supports https://github.com/joohoi/acme-dns yet but it should be very easy to write; the name of the project makes it kinda ambiguous what it's for though, which is annoying from the perspective of publishing the plugin on https://caddyserver.com/download, but I digress)

[xdu31]

I'm interested in taking a look at this. @francislavoie

[bgeneto]

That would be amazing... AFAIK only duckdns plugin has this capability via override_domain directive. Problem is many (when not all) subdomains from duckdns.org have been blocked by several dns servers worldwide because of phishing/abuse. So please don't forget to add this feature... Thx.

[francislavoie]

This is implemented in caddyserver/certmagic#160 and #4596

[gc-ss]

(Note that we don't have a DNS plugin that supports https://github.com/joohoi/acme-dns yet but it should be very easy to write; the name of the project makes it kinda ambiguous what it's for though, which is annoying from the perspective of publishing the plugin on https://caddyserver.com/download, but I digress)

An update. This is now available at:

https://github.com/libdns/acmedns
https://github.com/caddy-dns/acmedns

Initial discussions: https://caddy.community/t/new-acme-dns-libdns-plugin/15474/3?u=gcss

Hat tip to @vbsd for design and development!