Announcement: LetsDNS release 1.0 is now available
I'm happy to announce that LetsDNS release 1.0 is now available and ready for public use.
Website: https://letsdns.org GitHub : https://github.com/LetsDNS/letsdns PyPI : https://pypi.org/project/letsdns/
LetsDNS is a utility to manage DANE TLSA records in DNS servers with only a few lines of configuration. It supports multiple domains with multiple TLS certificates each.
LetsDNS can be invoked manually, from cron jobs, or called in hook functions of ACME clients like dehydrated or certbot. It currently supports backends via the DNS Update Protocol (RFC 2136), the Hetzner DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS is designed be expanded using custom Python modules which are loaded dynamically during runtime.
I'd appreciate you taking LetsDNS for a leisurely spin, and letting me know of your experiences. GitHub discussions/issues are preferred, but you can also send mail to "author at letsdns dot org".
Enjoy.
-Ralph
Re Viktor mentioning earlier on the Postfix mailing list that "there's a need for an example complete config file":
https://letsdns.org/example.html shows a complete and functioning example, in which I have only changed the domain name to example.com.
Dehydrated stores newly issued (i.e. queued) Let's Encrypt certificates in /var/lib/dehydrated/certs/example.com and calls LetsDNS from a hook function. LD generates DNS records for both the queued and the active certificate (found in /etc/postfix/tls). Two days later the queued cert is copied over the active one.
This ensures a non-breaking certificate roll-over, further backed by the TLSA records LetsDNS generates for the CA certificate. Also, as is mentioned in the docs, LetsDNS deduplicates TLSA records automatically to avoid superfluous entries if possible.
I hope this sheds a bit more light on what is happening.
-Ralph
On Tue, Apr 12, 2022 at 10:03:23PM +0200, Ralph Seichter wrote:
Re Viktor mentioning earlier on the Postfix mailing list that "there's a need for an example complete config file":
https://letsdns.org/example.html shows a complete and functioning example, in which I have only changed the domain name to example.com.
Dehydrated stores newly issued (i.e. queued) Let's Encrypt certificates in /var/lib/dehydrated/certs/example.com and calls LetsDNS from a hook function. LD generates DNS records for both the queued and the active certificate (found in /etc/postfix/tls). Two days later the queued cert is copied over the active one.
This ensures a non-breaking certificate roll-over, further backed by the TLSA records LetsDNS generates for the CA certificate. Also, as is mentioned in the docs, LetsDNS deduplicates TLSA records automatically to avoid superfluous entries if possible.
I hope this sheds a bit more light on what is happening.
Yes, this is helpful, and I encourage you to write up how the certificate lifecycle integrates with "letsdns", what custom actions are supposed to do, ... who's resposible for activating the "queued" certificate, ...
Presently it is not clear to me how the new tool is to be used. I hope you'll have some cycles to document the key use cases.
* Viktor Dukhovni:
Presently it is not clear to me how the new tool is to be used. I hope you'll have some cycles to document the key use cases.
I have fleshed out the example use case (Postfix and DANE TLSA). I hope to add an example for Webserver use soonish.
-Ralph
participants (2)
-
Ralph Seichter -
Viktor Dukhovni