Syntax or support for specifying multiple DNS providers

[nneul]

I'd like to be able to specify different upstream providers for different domains, and it isn't clear if this is supported by the client.

i.e. example-a.com uses route53, and example-b.com uses cloudflare

How do I request a cert containing both example-a.com and example-b.com using lego in that scenario?

[nneul]

If this isn't supported, a couple of possible approaches:

1. Allow 'dns' option to accumulate multiple providers, and just iterate through -- for each provider where lego finds the base domain, update the records.

2. Allow for additional syntax (for dns and http providers) -- something like:

--dns:example-a.com route53

something to basically say "This mechanism is only for that particular domain"

[jmjolysc]

+1

That part of lego is quite confusing if used in combination with Terraform ACME Provider. That provider actually allows for multiple providers in DNS challenges, it does configure these properly, but lego seems to only pick one of them.

As a workaround, temporarily inverting the order of the DNS challenges does the trick, as it validates the remaining names with the other provider. Here's what the temporary Terraform plan does:

...
        ~ dns_challenge {
              config   = (sensitive value)
            ~ provider = "cloudflare" -> "route53"
          }
        ~ dns_challenge {
              config   = (sensitive value)
            ~ provider = "route53" -> "cloudflare"
          }
...

From a user's perspective, I think the right way to choose the provider is by either explicitly specifying the provider of a name or maybe by automatically detecting the authoritative servers of each name (AWS and Cloudflare publish their respective IP ranges).

Could we turn this question into a feature improvement? Please let me know if you need additional information on this issue. Thank you.

[kajtzu]

I stumbled on this issue by accident as I was looking into a scenario combining octodns/octodns with two DNS providers and allowing ACME requests bypass the octodns pipeline completely. To get this to work I would need lego to be able to write to both DNS providers separately.
In my case both providers would have identical copies of the zone contents since the purpose of the exercise is to:

• rely on 3rd party DNS providers with large anycast networks
• attempt to minimize downtime potential by using two separate providers rather than one

As an easy to understand example, look at github.com which uses this pattern and is also the original creator of octodns :)

% dig github.com NS +short
dns4.p08.nsone.net.
dns1.p08.nsone.net.
ns-520.awsdns-01.net.
ns-1707.awsdns-21.co.uk.
ns-1283.awsdns-32.org.
ns-421.awsdns-52.com.
dns3.p08.nsone.net.
dns2.p08.nsone.net.

[jmleddy]

I've opened a pull request hoping to support multiple providers #2028