Add Technitium API support to lexicon

[renne]

lexicon is an abstraction layer for DNS provider APIs available via Python Package Index.
I suggest to add the Technitium API as a provider to lexicon.

lexicon developer guide

[ShreyasZare]

Thanks for the post. I would recommend that you post this as a issue in the lexicon project itself to reach out to its developers.

[Djelibeybi]

Not Lexicon, but I just submitted a PR to include DNS API support for Technitium to acme.sh.

I've submitted a provider to Lexicon before, so if I can find some spare time, I'll see what I can do.

[renne]

@Djelibeybi
lexicon support would be great for all the web-interfaces requesting Let's Encrypt certificates.
Instead of the HTTP-challenge the DNS-challenge could be used (e.g. wildcard sub-domains).

[Djelibeybi]

@renne you can use Lexicon's existing ddns provider with Technitium. To do this, add a TSIG key via Settings -> TSIG. I recommend using a simple key name and letting Technitium generate a strong secret for you. Leave the algorithm as HMAC-SHA256 too.

You then need to allow both zone transfers and dynamic updates for Lexicon using that TSIG key. If you can limit the source IP addresses that would be good. On the Dynamic Update page, you need to specify the domain name as *.domain.com and the record type can be limited to TXT

When running Lexicon, the --auth-token parameter is hmac-sha256:lexicon:<shared_secret> and the --ddns-parameter is just the IP address of your Technitium server.

[ShreyasZare]

@renne you can use Lexicon's existing ddns provider with Technitium. To do this, add a TSIG key via Settings -> TSIG. I recommend using a simple key name and letting Technitium generate a strong secret for you. Leave the algorithm as HMAC-SHA256 too.

You then need to allow both zone transfers and dynamic updates for Lexicon using that TSIG key. If you can limit the source IP addresses that would be good. On the Dynamic Update page, you need to specify the domain name as *.domain.com and the record type can be limited to TXT

When running Lexicon, the --auth-token parameter is hmac-sha256:lexicon:<shared_secret> and the --ddns-parameter is just the IP address of your Technitium server.

Yes, dynamic updates is a good option which is widely supported.

Just adding a clarification that you dont need to enable zone transfer for using dynamic updates as both are independent functions.

Also, in the dynamic update security policy, its recommended to use the specific domain name _acme-challenge.example.com instead of *.example.com and record type to TXT. This is so that if the TSIG key is leaked, then the attacker wont be able to update any other record except for the specified domain name and record type.

[Djelibeybi]

Zone transfer has to be allowed to enable Lexicon's ddns provider to list domain records.

[ShreyasZare]

Zone transfer has to be allowed to enable Lexicon's ddns provider to list domain records.

Ok good to know that. In that case it would be good configure TSIG key for zone transfer too if that is supported by Lexicon to prevent anyone from doing zone transfer.