> I've been hesitant to set that up because I'm concerned about the potential compro...

throw0101a • today at 4:17 PM • 1 reply • view on HN

> I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone.

Depending on your DNS provider, it may be possible to narrow the permissions to allow only updates of a particular record. Route53 as an example:

      {
         "Effect": "Allow",
         "Action": "route53:ChangeResourceRecordSets",
         "Resource": "arn:aws:route53:::hostedzone/<ZONE-ID>",
         "Condition": {
            "ForAllValues:StringEquals": {
               "route53:ChangeResourceRecordSetsNormalizedRecordNames": "_acme-challenge.<SUB>.<DOMAIN>.<TLD>"
            }
         }
      }

* https://github.com/acmesh-official/acme.sh/wiki/How-to-use-A...

BIND 9 example:

* https://dan.langille.org/2020/12/19/creating-a-very-specific...

You can also point the hostname that you wish to issues certs for to another (sub-)domain completely via a CNAME, and allow updates only for that other (sub-)domain:

* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...

* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...

Replies

justin_oaks • today at 4:42 PM

Yes, I see that AWS Route53 can limit credential scope. That kind of thing helps a lot.

I've never heard of that CNAME approach for changing the validation domain. That looks like a viable solution since it requires a one-time setup on the main domain and ongoing access to the second (validation) domain.

➕ show 2 replies

alt Hacker News

Replies