DNS Integration

Certificate issuers, such as Let’s Encrypt, require that you prove technical control of the domain, you are issuing a certificate to. A common way of doing this is by adding a DNS TXT record to your public DNS. The value of the DNS TXT record is provided by the certificate issuer, and the certificate issuer checks that you have added the requested DNS TXT record to verify that you indeed control the domain.

TrustView can integrate with your DNS and automatically add the requested DNS TXT records whenever a certificate is ordered using TrustView. A DNS provider in TrustView is a DNS integration for a number of domains that TrustView will use to add DNS TXT records whenever a certificate is ordered for one of the domains that the DNS provider is handling.

Adding a DNS provider

Step 1

Click DNS integration in the left menu under the Management section.

The list of all the existing dns providers

Step 2

Click Add to add a new DNS provider.

Step 3

Select the type of DNS provider you wish to use. Currently, TrustView supports 13 DNS providers:

  • Cloudflare - a commercial provider of DNS services

  • PowerDNS - an open source DNS service provider

  • Azure DNS - Microsoft Azure

  • UltraDNS - UltraDNS

  • Google Cloud DNS - Google Cloud DNS

  • Akamai Edge DNS - Akamai Edge DNS

  • Infoblox - Infoblox

  • EuroDNS - EuroDNS

  • DNSimple - DNSimple

  • Amazon Route 53 - Amazon Route 53

  • File system based - writes the DNS record to the local file system. You can then integrate with your DNS provider yourself by creating a script that reads the DNS records and adds them to the DNS

  • E-mail - Sends the DNS TXT token to a specified e-mail

  • Microsoft DNS - use a Windows server as a DNS server

Step 4 - Cloudflare

To add a Cloudflare DNS provider, complete the following steps:

  1. Enter your global API key

  2. Enter your email

  3. Click Add

Step 4 - PowerDNS

To add a PowerDNS DNS provider, complete the following steps:

  1. Enter your API key

  2. Enter your host http://127.0.0.1:8081

  3. Enter your server ID (default is localhost, but can be setup with a proxy in front of several servers, each with their own server ID)

  4. Click Add

Important

Enabling the API

To enable the API, the webserver and the HTTP API needs to be enabled. Add these lines api=yes and api-key=changeme to pdns.conf and restart.

The following examples should start working:

1    curl -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/api/v1/servers/localhost

1    curl -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/api/v1/servers/localhost/zones

Step 4 - Azure

To add an Azure DNS provider, complete the following steps:

  1. Enter your Subscription Id

  2. Enter your Resource group name

  3. Enter your App Id

  4. Enter your Password

  5. Enter your Tenant Id

Azure CLI

The Azure CLI is a command-line tool that allows you to manage and interact with Azure resources, including the ability to get the necessary accounts and tokens required to interact with Azure. This is used to create a service principal, which will be used to get credentials used for authentication.

You can either use the Azure Cloud Shell or install the Azure CLI locally

Cloud Shell

The Azure Cloud Shell is an in-browser terminal interface that allows you to execute Azure CLI commands without installing the Azure CLI locally

Azure CLI Local Install

  1. Install the Azure CLI: Azure CLI

  2. Login with az login

  3. Select your active Azure subscription with:

1az account set -n {name of your sub}

Service principal

A service principal is an Azure account that allows you to perform actions on Azure resources. A service principal is like a system account that can have roles assigned to it and can be used to get authentication tokens.

Tip

More info here: Azure service principal

Create the service principal

In Azure CLI, type the following command:

az ad sp create-for-rbac --role Contributor
Service principal

The resource group name can be found here:

Azure service

The subscription Id can be found here:

Azure service

Important

The app used for DNS must have at least the contributor role to have the correct rights.

Step 4 - UltraDNS

To add a UltraDNS provider, complete the following steps:

  1. Enter your username

  2. Enter your password

Note

The minimum rights needed for the API ONLY USER are as follows:

  1. List zones

  2. View zone details

  3. List records

  4. View record details

  5. Add/update/delete records

Step 4 - Google Cloud DNS

To add Google Cloud DNS as a provider, complete the following steps:

  1. Create an account: Google Cloud Console or use an existing account to login to the Google Cloud Console

  2. Create a new project or use an existing Google Cloud DNS project: Google Cloud DNS Project

  3. Create a new Service Account or use an existing: Google Cloud Service Account

  4. Download the private key in JSON format: Click the Service Account and go to the KEYS tab. Click Add key and Create new key, then select the JSON key type

  5. The exported JSON key must then be uploaded to TrustView under the DNS integration section

  6. Add the Project ID (which is not necessarily the same as the Project Name) to TrustView and click Add

  7. Once Google Cloud DNS has been successfully added as a DNS provider, Click Update domain list to list all the added domains

  8. If no domains have been created, they can be created from the Google Cloud Console: Create Google Cloud Domain

Permissions needed for the DNS Administrator role:

1dns.changes.create
2dns.managedZones.list
3dns.resourceRecordSets.create
4dns.resourceRecordSets.get
5dns.resourceRecordSets.update

Step 4 - File system

To add a file system-based DNS provider, complete the following steps:

  1. Enter the directory to store the DNS records in (the directory entered here must be created manually on the server)

  2. Enter the domain that the DNS provider is handling, e.g. example.org

  3. Click Add domain

  4. Enter and add additional domains if required

  5. Click Add

Important

The directory prefix must be set in the configuration file; add dnsprovider.filesystem.pathprefix = "C://temp/" to the TrustView.groovy file. The example uses the C drive, but it could be any drive or directory.

Step 4 - Microsoft DNS

First the DnsServer Module must be installed, which can be obtained either by installing the DNS Server role or adding the DNS Server Tools, which is part of the Remote Server Administration Tools (RSAT) feature on the Windows server.

The DNS integration with Microsoft DNS requires a PowerShell script to be automated with Let’s Encrypt certificates.

The following TV-MicrosoftDNS.zip file contains 4 files. The file transferdnsrecords.ps1 is an optional file that can help transfer DNS TXT records, if the TrustView server and the DNS server are not domain joined and need to be moved between servers.

TV-MicrosoftDNS.zip

Once the files have been extracted, run the following PowerShell command to install the msdns.ps1 script as a Windows service and make it run in the background:

Install the Microsoft DNS service
1C:\temp\TV-MicrosoftDNS> .\TrustView-MS-DNS-Service.exe install

Important

The file for the main script msdns.ps1 and the optional file transferdnsrecords.ps1 contains a set of parameters at the top of the script that need to be adjusted to fit your setup in terms of Zone name and credentials etc.

If you are using an internal DNS setup on your Windows server, you can in the TrustView.groovy configuration file point to an external DNS server, so the DNS TXT records can be validated by e.g. Let’s Encrypt. This can be done by adding the following line to the configuration file:

1staticAuthoritativeDnsIpList = "8.8.8.8,8.8.4.4"

TrustView will now attempt to validate the DNS challenges, based on these IPs for Google public DNS.