32 lines
No EOL
1.7 KiB
Markdown
32 lines
No EOL
1.7 KiB
Markdown
# ACME DNS Challenges
|
|
## Summary
|
|
We agreed to use **ACME DNS-01 challenges** for issuing certificates for **both public-facing and internal services**. A key benefit is that DNS-01 **enables internal certificate issuance** in the first place, since the CA only needs to verify TXT records in DNS (no inbound HTTP/ALPN access to the service). To keep our primary DNS zones clean, we will create a **separate, dedicated zone** for ACME challenges and **delegate** challenge records to it via **CNAME**.
|
|
|
|
## Decisions
|
|
- Use **ACME DNS-01** as the challenge type for **both external/public and internal** certificate issuance.
|
|
- Create a **dedicated DNS zone** for ACME challenges (e.g., `_acme.example.com`).
|
|
- For each certificate FQDN, publish a **CNAME** at `_acme-challenge.<fqdn>` that points into the dedicated challenge zone.
|
|
- Store the **TXT token(s)** only in the dedicated challenge zone to avoid cluttering primary zones.
|
|
- Keep **low TTLs** (e.g., 60-120s) on both CNAME and TXT records to speed up renewals.
|
|
- Restrict write access to the challenge zone to the ACME automation only.
|
|
|
|
## Reference Design
|
|
**Dedicated zone:**
|
|
`_acme.example.com`
|
|
|
|
**For a service FQDN:**
|
|
Target certificate: `app1.example.com`
|
|
|
|
**Publish in the primary zone:**
|
|
```dns
|
|
; Delegate the challenge to the dedicated zone
|
|
_acme-challenge.app1.example.com. CNAME app1._acme-challenge._acme.example.com.
|
|
```
|
|
|
|
**Publish in the dedicated zone (managed by the ACME client/automation):**
|
|
```dns
|
|
; ACME client writes the TXT token here
|
|
app1._acme-challenge._acme.example.com. TXT "ACME_VALIDATION_TOKEN"
|
|
```
|
|
|
|
> During validation, the CA will follow the CNAME from the primary zone to the dedicated zone and read the TXT record there. |