Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
SoftTalker 5 months ago

I don't have an API or any permission to add TXT records to my DNS. That's a support ticket and has about a 24-hour turnaround best case.

Yeroc 5 months ago | parent | next [-]

I was just digging into this a bit and discovered ACME supports a something called DNS alias mode (https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...) which allows you to add a static DNS TXT record on your core domain that delegates to a second domain. This would allow you to setup a second domain with DNS API (if permitted by company policy!)

immibis 5 months ago | parent | prev | next [-]

Is this just because your DNS is with some provider, or is it something that leads from your organizational structure?

If it's just because your DNS is at a provider, you should be aware that it's possible to self-host DNS.

SoftTalker 5 months ago | parent [-]

It’s internal policy. We do run our own DNS.

procaryote 5 months ago | parent [-]

But that's pretty much self-inflicted damage.

JackSlateur 5 months ago | parent | prev | next [-]

You have people paid to create DNS records ? Haha

dijit 5 months ago | parent | next [-]

its’ not practical to give everyone write access to the google.com root zone.

Someone will fuck up accidentally, so production zones are usually gated somehow, sometimes with humans instead of pure automata.

JackSlateur 5 months ago | parent [-]

Why not ?

Giving write access does not mean giving unrestricted write access

Also, another way (which I built in a previous compagny) is to create a simple certificate provider (API or whatever), integrated with whatever internal authentication scheme you are using, and are able to sign csr for you. A LE proxy, as you might call it

SoftTalker 5 months ago | parent | prev [-]

Yes we do. That’s not the only thing they do of course.

xorcist 5 months ago | parent [-]

It also sounds like the right people to handle certificate issuance?

If you are not in a good position in the internal organization to control DNS, you probably shouldn't handle certificate issuance either. It makes sense to have a specific part of the organization responsible.

procaryote 5 months ago | parent | prev [-]

That's not great, sorry to hear