You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -52,17 +52,14 @@ This plugin has been tested and confirmed to work with the following ACME provid
52
52
53
53
It is designed to be provider-agnostic and should work with any standards-compliant ACME server.
54
54
55
-
### 🌐 Supported DNS Providers
56
-
DNS-01 challenge automation is supported through the following providers:
57
-
-**Google Cloud DNS**
58
-
-**AWS Route 53**
59
-
-**Azure DNS**
60
-
-**Cloudflare**
61
-
-**NS1**
62
-
-**Infoblox**
63
-
-**RFC 2136 Dynamic DNS** (BIND with TSIG authentication)
64
-
65
-
Additional DNS providers can be added by extending the included `IDnsProvider` interface.
55
+
### 🌐 DNS Providers (Pluggable)
56
+
DNS-01 challenge automation is handled by **separate, pluggable DNS provider plugins** that are deployed alongside the AnyCA Gateway — they are no longer built into this plugin. The Gateway resolves the appropriate DNS provider plugin per domain at enrollment time.
57
+
58
+
For the current list of available DNS provider plugins, see the Keyfactor GitHub organization:
59
+
60
+
👉 **[Keyfactor DNS provider plugins (`-dnsplugin`)](https://github.com/orgs/Keyfactor/repositories?q=-dnsplugin)**
61
+
62
+
Each plugin repository documents its own supported authentication methods and configuration keys. New DNS providers can be added by publishing a new plugin that implements the Gateway's `IDomainValidator` interface — no change to this ACME plugin is required.
66
63
67
64
---
68
65
@@ -102,17 +99,15 @@ The Acme AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor custo
102
99
This plugin automates DNS-01 challenges using pluggable DNS provider implementations. These providers create and remove TXT records to prove domain control to ACME servers.
103
100
104
101
<details>
105
-
<summary><strong>✅ Supported DNS Providers</strong></summary>
<summary><strong>🔌 Available DNS Provider Plugins</strong></summary>
103
+
104
+
DNS providers are distributed as **standalone plugins**, each in its own repository, and are deployed alongside the AnyCA Gateway rather than bundled into this ACME plugin. This lets you add or upgrade a DNS provider without rebuilding the ACME plugin.
105
+
106
+
For the current, authoritative list of available DNS provider plugins, query the Keyfactor GitHub organization:
Each plugin's own repository is the source of truth for its supported authentication methods, required configuration keys, and setup instructions. Configure the DNS provider(s) through the AnyCA Gateway's **Domain Validation** configuration; the Gateway resolves the correct plugin per domain at enrollment time.
Authentication methods and required configuration keys are specific to each DNS provider and are **documented in that provider's own plugin repository** — see the [`-dnsplugin` repositories](https://github.com/orgs/Keyfactor/repositories?q=-dnsplugin). Credentials and settings are supplied through the AnyCA Gateway's **Domain Validation** configuration for the chosen plugin, not in this ACME plugin's configuration.
214
179
215
180
</details>
216
181
217
182
<details>
218
-
<summary><strong>🏢 On-Premise DNS (RFC 2136)</strong></summary>
219
-
220
-
The RFC 2136 provider enables ACME DNS-01 challenges with on-premise DNS servers that support dynamic updates, including:
221
-
222
-
-**BIND** (Berkeley Internet Name Domain)
223
-
-**PowerDNS** (with dynamic update support)
224
-
- Any DNS server supporting RFC 2136 with TSIG authentication
|`Rfc2136_Port`| DNS server port (default: `53`) | Optional |
236
-
|`DnsVerificationServer`| DNS server IP for verification (for private zones) | Optional |
185
+
On-premise and private DNS support (e.g. RFC 2136 dynamic updates against BIND/PowerDNS with TSIG) is provided by the corresponding DNS provider plugin — see its repository under the [`-dnsplugin` list](https://github.com/orgs/Keyfactor/repositories?q=-dnsplugin) for TSIG key generation, server/zone settings, and setup examples.
237
186
238
-
#### Generating TSIG Keys
239
-
240
-
**For BIND:**
241
-
bash
242
-
243
-
**Generate a TSIG key using tsig-keygen (BIND 9.10+)**
244
-
tsig-keygen -a hmac-sha256 acme-update-key
245
-
246
-
**Output example:**
247
-
key "acme-update-key" {
248
-
algorithm hmac-sha256;
249
-
secret "base64encodedkey==";
250
-
};
251
-
252
-
#### BIND Configuration Example
253
-
254
-
Add to `named.conf`:
255
-
256
-
key "acme-update-key" {
257
-
algorithm hmac-sha256;
258
-
secret "YourBase64EncodedKeyHere==";
259
-
};
260
-
261
-
zone "example.com" {
262
-
type master;
263
-
file "/var/named/example.com.zone";
264
-
allow-update { key "acme-update-key"; };
265
-
};
266
-
267
-
268
-
> ⚠️ **Security Note:** TSIG keys should be treated as secrets. Store them securely and use strong keys generated with cryptographically secure random number generators.
269
-
270
-
> ⚠️ **Private DNS Zones:** For private/local DNS zones (e.g., `.local`), set `DnsVerificationServer` to your authoritative DNS server IP so the plugin can verify TXT record propagation.
187
+
> ⚠️ **Private DNS Zones:** For private/local DNS zones (e.g., `.local`) that are not reachable via public resolvers, set `DnsVerificationServer` to your authoritative DNS server IP. This ACME plugin uses it both to verify TXT record propagation and to resolve CNAME delegation chains.
271
188
272
189
</details>
273
190
274
191
<details>
275
192
<summary><strong>🧩 Adding New DNS Providers</strong></summary>
DNS providers are independent plugins, so adding a new one requires **no change to this ACME plugin**. Publish a plugin that implements the AnyCA Gateway's `IDomainValidator` interface (create/cleanup the validation record for a domain), deploy it alongside the Gateway, and configure it under **Domain Validation**. The Gateway will resolve it per domain at enrollment time.
293
195
294
-
3. Use zone detection logic similar to `GoogleDnsProvider`, `AzureDnsProvider`, or `Ns1DnsProvider`.
295
-
296
-
Each provider is instantiated dynamically based on the `DnsProvider` field in the `AcmeClientConfig`.
297
-
298
-
> 🔁 This modular DNS system ensures challenge automation works across cloud providers and is easily extensible.
196
+
Use any existing plugin in the [`-dnsplugin` list](https://github.com/orgs/Keyfactor/repositories?q=-dnsplugin) as a reference implementation.
299
197
300
198
</details>
301
199
302
200
<details>
303
-
<summary><strong>🔒 CA-Level DNS Provider Binding</strong></summary>
201
+
<summary><strong>🔒 Per-Domain DNS Provider Resolution</strong></summary>
304
202
305
-
Each ACME/DNS combination is supported **at the CA level**, meaning that only **one DNS provider** is configured per CA entry in Keyfactor. This ensures a clear and isolated challenge path for each ACME CA connector instance.
306
-
307
-
If you need to support multiple DNS zones/providers (e.g., both AWS and Cloudflare), configure **separate CA entries**, each with its own DNS provider configuration.
203
+
You can configure **multiple DNS provider plugins** and the Gateway selects the appropriate one for each domain based on your **Domain Validation** configuration (matching a configured, optionally wildcard, domain pattern). This also means a single certificate with SANs across different zones/providers can be validated using different plugins, and CNAME-delegated challenges are routed to the plugin that owns the delegation target's zone (see **CNAME Delegation** above).
308
204
309
205
</details>
310
206
@@ -576,13 +472,9 @@ If `AccountStoragePath` is not set and `%APPDATA%` is unavailable, the plugin de
576
472
</details>
577
473
578
474
<details>
579
-
<summary><strong>🌐 Google Cloud DNS in Containers</strong></summary>
580
-
581
-
For Google Cloud DNS in container environments, you have three authentication options:
475
+
<summary><strong>🌐 DNS Provider Authentication in Containers</strong></summary>
582
476
583
-
1.**Workload Identity (GKE)**: No explicit credentials needed; uses pod identity.
584
-
2.**JSON key in config**: Paste the service account JSON directly into `Google_ServiceAccountKeyJson`.
585
-
3.**Mounted JSON file**: Mount the service account key file and set `Google_ServiceAccountKeyPath`.
477
+
DNS provider credentials in containerized environments are handled by each **DNS provider plugin**, not by this ACME plugin. Options such as cloud-native identity (GKE Workload Identity, EKS IRSA, AKS Pod Identity), mounted key files, or config-supplied secrets depend on the provider — see the relevant plugin under the [`-dnsplugin` list](https://github.com/orgs/Keyfactor/repositories?q=-dnsplugin) for its supported container authentication methods.
0 commit comments