We use two DNS providers for redundancy. Since the DynDNS DDOS attack of 2016, I expect we are not alone in this practice.
I am attempting to use the Let's Encrypt certbot with DNS challenge. Having two DNS providers seems to pose a problem. Do both DNS providers need to be updated with identical TXT records as part of the challenge process?
The real question is, how does the Let's Encrypt ACME Certificate Authority (CA) validate DNS TXT entries? Does it simply query the public DNS like any client would, or does it query against the specific DNS provider that maps to the certbot plugin I'm using? I suspect the former.
I attempted to create a certificate using only one of the plugins. The TXT entries were created, but validation failed. I expect I will need to update both DNS providers (or figure out how to link the two providers so they synchronize changes).
The documentation doesn't seem to indicate that using multiple plugins of the same type is possible, although I haven't tried it yet. One of my providers requires that I upgrade to gain access to their API.
If it is not possible to chain multiple authentication plugins, then I believe my only option for automated renewal is using the pre- and post-hooks with a custom script to modify both DNS providers.
I'd appreciate confirmation of this before I undertake the work and expense required (or choose to manage the renewal process manually).
EDIT: I'm aware that StackExchange wrote and published its own open-source DNS updater, dnscontrol, which could be used in pre- and post-hook scripts. However, one of our providers is not supported.
There are plenty of 3rd party ACME (LetsEncrypt) clients out there that provide more features than the default certbot. They maintain a list on their site here: ACME Client Implementations
A lot of them have some sort of DNS plugin architecture and some allow you to specify different plugins for different names in a cert. But none that I know of allow you to combine plugins per-zone (such that more than one plugin would service a single zone's TXT record).
However, if you're already considering writing pre/post hooks to get this done. I'd suggest using something like acme.sh. It has a ton of pre-written DNS plugins. You could probably fairly easily combine two or more of them into a single merged plugin that would effectively accomplish your goal.
Letsencrypt validates your TXT entries by just querying a random resolver, with no control whatsoever about which one of your name servers is going to be used.
I recommend you delegate the
_acme-challenge.example.com.
zone to just one dns provider you have automated access to. You will never have a DoS situation at any of your DNS providers for longer than it takes to change this - or for longer than letsencrypt certificates are valid for. Therefore, its okay to skip the redundancy for ACME only, so you can use all the automation just like before you added more name servers.edit based on comments: This strategy will not allow to continue certbot, as the respective certbot plugins is not correctly handling aliased or delegated validation domains. It should look to modify the zone of the validation record, but attempts to modify the zone of the validated domain, disregarding that it is very valid and for them to differ.
Other acme clients may require to explicitely state the location of the validation record, as is the case with acme.sh