Using DNSControl with certbot/Let's Encrypt for DNS challenges

18 views
Skip to first unread message

TmOnlineMapper

unread,
Jul 24, 2025, 5:53:30 PMJul 24
to DNSControl-discuss
Hello everyone,

certbot/Let's Encrypt by default uses HTTP challenges to verify a domain belongs to you, but they also provide the option to do it via DNS challenges, which is useful if you can't receive HTTP traffic on the machine issuing the certificate or if you plan to use wildcard certificates (as they only way to do that is via DNS challenge).
So since DNSControl practically is an universal adapter to a lot of DNS providers, I was wondering if anyone has done something like this or in general if there would be a desire to have something like this.

Challenges I currently see are that during the setup phase the auth script may be called multiple times for multiple domains and that may complicate things.
And during cleanup it seems a bit challenenging to remove the records again without touching anything else. After all the NO_PURGE makes just adding entries really easy, but just removing individual entries doesn't seem super straight forward, unless I'm missing something.

So yeah as mentioned I was wondering if anyone had done anything like this and if not brainstorming with the community that has been using this software much longer than I have sounds fun.

TmOnlineMapper

unread,
Jul 24, 2025, 7:08:04 PMJul 24
to DNSControl-discuss
Ok. Maybe I should have done some more research into this.

Turns out there's a lovely Python project called dns-lexicon, which also abstracts away DNS providers. And modern versions of it even include it out of the box, so it's possible to implement it with minimal effort, if any is needed at all. And using such a tool to directly manipulate the records (temporarily) instead of trying to shoe horn it into a managing tool like DNSControl.

Still an interesting thought, but I believe ultimately useless here.
Reply all
Reply to author
Forward
0 new messages