akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
a78529e2180af423eca3ceee90e88cd59fc0bb4e
Charon/docs/features/dns-providers.md
GitHub Actions f83e613613 feat: Add DNS provider documentation and enhance provider form with new fields 
- Created a comprehensive documentation file for DNS provider types, including RFC 2136, Webhook, and Script providers, detailing their use cases, configurations, and security notes.
- Updated the DNSProviderForm component to handle new field types including select and textarea for better user input management.
- Enhanced the DNS provider schemas to include new fields for script execution, webhook authentication, and RFC 2136 configurations, improving flexibility and usability.
2026-01-14 19:16:41 +00:00

308 lines
9.3 KiB
Markdown
Raw Blame History

# DNS Provider Types
This document describes the DNS provider types available in Charon for DNS-01 challenge validation during SSL certificate issuance.
## Overview
Charon supports multiple DNS provider types to accommodate different deployment scenarios:
| Provider Type | Use Case | Security Level |
|---------------|----------|----------------|
| **API-Based** | Cloudflare, Route53, DigitalOcean, etc. | ✅ Recommended |
| **RFC 2136** | Self-hosted BIND9, PowerDNS, Knot DNS | ✅ Recommended |
| **Webhook** | Custom DNS APIs, automation platforms | ⚠️ Moderate |
| **Script** | Legacy tools, custom integrations | ⚠️ High Risk |
---
## RFC 2136 (Dynamic DNS)
RFC 2136 Dynamic DNS Update allows Charon to directly update DNS records on authoritative DNS servers that support the protocol, using TSIG authentication for security.
### Use Cases
- Self-hosted BIND9, PowerDNS, or Knot DNS servers
- Enterprise environments with existing DNS infrastructure
- Air-gapped networks without external API access
- ISP or hosting provider managed DNS with RFC 2136 support
### Configuration
| Field | Required | Default | Description |
|-------|----------|---------|-------------|
| `nameserver` | ✅ | — | DNS server hostname or IP address |
| `tsig_key_name` | ✅ | — | TSIG key name (e.g., `acme-update.`) |
| `tsig_key_secret` | ✅ | — | Base64-encoded TSIG key secret |
| `port` | ❌ | `53` | DNS server port |
| `tsig_algorithm` | ❌ | `hmac-sha256` | TSIG algorithm (see below) |
| `zone` | ❌ | — | DNS zone override (auto-detected if not set) |
### TSIG Algorithms
| Algorithm | Recommendation |
|-----------|----------------|
| `hmac-sha256` | ✅ **Recommended** — Good balance of security and compatibility |
| `hmac-sha384` | ✅ Secure — Higher security, wider key |
| `hmac-sha512` | ✅ Secure — Maximum security |
| `hmac-sha1` | ⚠️ Legacy — Use only if required by older systems |
| `hmac-md5` | ❌ **Deprecated** — Avoid; cryptographically weak |
### Example Configuration
```json
{
"type": "rfc2136",
"nameserver": "ns1.example.com",
"port": 53,
"tsig_key_name": "acme-update.",
"tsig_key_secret": "base64EncodedSecretKey==",
"tsig_algorithm": "hmac-sha256",
"zone": "example.com"
}
```
### Generating a TSIG Key (BIND9)
```bash
# Generate a new TSIG key
tsig-keygen -a hmac-sha256 acme-update > /etc/bind/acme-update.key
# Contents of generated key file:
# key "acme-update" {
# algorithm hmac-sha256;
# secret "base64EncodedSecretKey==";
# };
```
### Security Notes
- **Network Security**: Ensure the DNS server is reachable from Charon (firewall rules, VPN)
- **Key Permissions**: TSIG keys should have minimal permissions (only `_acme-challenge` records)
- **Key Rotation**: Rotate TSIG keys periodically (recommended: every 90 days)
- **TLS Not Supported**: RFC 2136 uses UDP/TCP without encryption; use network-level security
---
## Webhook Provider
The Webhook provider enables integration with custom DNS APIs or automation platforms by sending HTTP requests to user-defined endpoints.
### Use Cases
- Custom internal DNS management APIs
- Integration with automation platforms (Ansible AWX, Rundeck, etc.)
- DNS providers without native Charon support
- Multi-system orchestration workflows
### Configuration
| Field | Required | Default | Description |
|-------|----------|---------|-------------|
| `create_url` | ✅ | — | URL to call when creating TXT records |
| `delete_url` | ✅ | — | URL to call when deleting TXT records |
| `auth_header` | ❌ | — | HTTP header name for authentication (e.g., `Authorization`) |
| `auth_value` | ❌ | — | HTTP header value (e.g., `Bearer token123`) |
| `timeout_seconds` | ❌ | `30` | Request timeout in seconds |
| `retry_count` | ❌ | `3` | Number of retry attempts on failure |
| `insecure_skip_verify` | ❌ | `false` | Skip TLS verification (⚠️ dev only) |
### URL Template Variables
The following variables are available in `create_url` and `delete_url`:
| Variable | Description | Example |
|----------|-------------|---------|
| `{{fqdn}}` | Full record name | `_acme-challenge.example.com` |
| `{{domain}}` | Base domain | `example.com` |
| `{{value}}` | TXT record value | `dGVzdC12YWx1ZQ==` |
| `{{ttl}}` | Record TTL | `120` |
### Example Configuration
```json
{
"type": "webhook",
"create_url": "https://dns-api.example.com/records?action=create&fqdn={{fqdn}}&value={{value}}",
"delete_url": "https://dns-api.example.com/records?action=delete&fqdn={{fqdn}}",
"auth_header": "Authorization",
"auth_value": "Bearer your-api-token",
"timeout_seconds": 30,
"retry_count": 3
}
```
### Webhook Request Format
**Create Request:**
```http
POST {{create_url}}
Content-Type: application/json
{{auth_header}}: {{auth_value}}
{
"fqdn": "_acme-challenge.example.com",
"domain": "example.com",
"value": "challenge-token-value",
"ttl": 120
}
```
**Delete Request:**
```http
POST {{delete_url}}
Content-Type: application/json
{{auth_header}}: {{auth_value}}
{
"fqdn": "_acme-challenge.example.com",
"domain": "example.com"
}
```
### Expected Responses
| Status Code | Meaning |
|-------------|---------|
| `200`, `201`, `204` | Success |
| `4xx` | Client error — check configuration |
| `5xx` | Server error — will retry based on `retry_count` |
### Security Notes
- **HTTPS Required**: Non-localhost URLs must use HTTPS
- **Authentication**: Always use `auth_header` and `auth_value` for production
- **Timeouts**: Set appropriate timeouts to avoid blocking certificate issuance
- **`insecure_skip_verify`**: Never enable in production; only for local development with self-signed certs
---
## Script Provider
The Script provider executes shell scripts to manage DNS records, enabling integration with legacy systems or tools without API access.
### ⚠️ HIGH-RISK PROVIDER
> **Warning**: Scripts execute with container privileges. Only use when no other option is available. Thoroughly audit all scripts before deployment.
### Use Cases
- Legacy DNS management tools (nsupdate wrappers, custom CLIs)
- Systems requiring SSH-based updates
- Complex multi-step DNS workflows
- Air-gapped environments with local tooling
### Configuration
| Field | Required | Default | Description |
|-------|----------|---------|-------------|
| `script_path` | ✅ | — | Path to script (must be in `/scripts/`) |
| `timeout_seconds` | ❌ | `60` | Maximum script execution time |
| `env_vars` | ❌ | — | Environment variables (`KEY=VALUE` format) |
### Script Interface
Scripts receive DNS operation details via environment variables:
| Variable | Description | Example |
|----------|-------------|---------|
| `DNS_ACTION` | Operation type | `create` or `delete` |
| `DNS_FQDN` | Full record name | `_acme-challenge.example.com` |
| `DNS_DOMAIN` | Base domain | `example.com` |
| `DNS_VALUE` | TXT record value (create only) | `challenge-token` |
| `DNS_TTL` | Record TTL (create only) | `120` |
**Exit Codes:**
| Code | Meaning |
|------|---------|
| `0` | Success |
| `1` | Failure (generic) |
| `2` | Configuration error |
### Example Configuration
```json
{
"type": "script",
"script_path": "/scripts/dns-update.sh",
"timeout_seconds": 60,
"env_vars": "DNS_SERVER=ns1.example.com,SSH_KEY_PATH=/secrets/dns-key"
}
```
### Example Script
```bash
#!/bin/bash
# /scripts/dns-update.sh
set -euo pipefail
case "$DNS_ACTION" in
create)
echo "Creating TXT record: $DNS_FQDN = $DNS_VALUE"
nsupdate -k /etc/bind/keys/update.key <<EOF
server $DNS_SERVER
update add $DNS_FQDN $DNS_TTL TXT "$DNS_VALUE"
send
EOF
;;
delete)
echo "Deleting TXT record: $DNS_FQDN"
nsupdate -k /etc/bind/keys/update.key <<EOF
server $DNS_SERVER
update delete $DNS_FQDN TXT
send
EOF
;;
*)
echo "Unknown action: $DNS_ACTION" >&2
exit 1
;;
esac
```
### Security Requirements
| Requirement | Details |
|-------------|---------|
| **Script Location** | Must be in `/scripts/` directory (enforced) |
| **Permissions** | Script must be executable (`chmod +x`) |
| **Audit** | Review all scripts before deployment |
| **Secrets** | Use mounted secrets, never hardcode credentials |
| **Timeouts** | Set appropriate timeouts to prevent hanging |
### Security Notes
- **Container Privileges**: Scripts run with full container privileges
- **Path Restriction**: Scripts must reside in `/scripts/` to prevent arbitrary execution
- **No User Input**: Script path cannot contain user-supplied data
- **Logging**: All script executions are logged to audit trail
- **Resource Limits**: Use `timeout_seconds` to prevent runaway scripts
- **Testing**: Test scripts thoroughly in non-production before deployment
---
## Provider Comparison
| Feature | RFC 2136 | Webhook | Script |
|---------|----------|---------|--------|
| **Setup Complexity** | Medium | Low | High |
| **Security** | High (TSIG) | Medium (HTTPS) | Low (shell) |
| **Flexibility** | DNS servers only | HTTP APIs | Unlimited |
| **Debugging** | DNS tools | HTTP logs | Script logs |
| **Recommended For** | Self-hosted DNS | Custom APIs | Legacy only |
## Related Documentation
- [DNS Provider Auto-Detection](./dns-auto-detection.md) — Automatic provider identification
- [Multi-Credential DNS Support](./multi-credential.md) — Managing multiple credentials per provider
- [Key Rotation](./key-rotation.md) — Credential rotation best practices
- [Audit Logging](./audit-logging.md) — Tracking DNS operations
---
_Last Updated: January 2026_
_Version: 1.4.0_
Reference in New Issue View Git Blame Copy Permalink