Besides possibly being a function of a provider's API; DNS server security policies can be used to limit updates to certain domains and/or record types based on preshared key. Since the DNS-01 challenge only needs to make a TXT record with a predetermined name you can configure a zone like so (using BIND syntax as an example):
key "example-key" {
algorithm hmac-sha512;
secret <KEY_HERE>;
};
zone {
...
update-policy {
grant "example-key" name _acme-challenge.example.com TXT;
};
};
another option is to have a CNAME from _acme-challenge.example.com to a dedicated challenge zone like challenges.example.com that has similar restrictions. This coupled with something like acme.sh makes it easy and relatively secure for machines to generate their own certificates.
w7|7 years ago
Besides possibly being a function of a provider's API; DNS server security policies can be used to limit updates to certain domains and/or record types based on preshared key. Since the DNS-01 challenge only needs to make a TXT record with a predetermined name you can configure a zone like so (using BIND syntax as an example):
another option is to have a CNAME from _acme-challenge.example.com to a dedicated challenge zone like challenges.example.com that has similar restrictions. This coupled with something like acme.sh makes it easy and relatively secure for machines to generate their own certificates.