4. DNS Integration#

Certificate issuers, such as Let’s Encrypt, require that you prove technical control of the domain, you are issuing a certificate to, since they are of the type DV (Domain Validated) certificates. A common way of doing this is by adding a DNS TXT record to your public DNS. The value of the DNS TXT record is provided by the certificate issuer, and the certificate issuer checks that you have added the requested DNS TXT record to verify that you indeed control the domain.

TrustView can integrate with your DNS and automatically add the requested DNS TXT records whenever a certificate is ordered using TrustView or for prevalidating domains. A DNS provider in TrustView is a DNS integration for a number of domains that TrustView will use to add DNS TXT records whenever a certificate is ordered for one of the domains that the DNS provider is handling.

Important

Some DNS providers will require the SSL certificate to be trusted by TrustView, before a connection can be established, which can be accomplished by adding the SSL certificate (from the DNS provider) to the Java keystore of TrustView. See more details here.

4.1. Adding a DNS provider#

Step 1

Click DNS integration in the left menu under the Management section.

Step 2

Click Add to add a new DNS provider.

Step 3

Select the type of DNS provider you wish to use. Currently, TrustView supports the following DNS providers:

Cloudflare - a commercial provider of DNS services

PowerDNS - an open source DNS service provider

Azure DNS - Microsoft Azure

UltraDNS - UltraDNS

Google Cloud DNS - Google Cloud DNS

Akamai Edge DNS - Akamai Edge DNS

Infoblox - Infoblox

EuroDNS/EBrand - EuroDNS (Also covers the EBrand DNS provider)

DNSimple - DNSimple

Amazon Route 53 - Amazon Route 53

CSC DNS - CSC DNS

File system based - writes the DNS record to the local file system. You can then integrate with your DNS provider yourself by creating a script that reads the DNS records and adds them to the DNS

E-mail - Sends the DNS TXT token to a specified e-mail

Microsoft DNS - use a Windows server as a DNS server

Note

If you don’t see your DNS provider on the list, we can create an integration to that DNS provider, if they have an public API available that would allow a connection. Contact our Support with the details.

Cloudflare

To add a Cloudflare DNS provider, complete the following steps:

Enter your global API key

Enter your email

Click Add

PowerDNS
To add a PowerDNS DNS provider, complete the following steps:

Enter your API key

Enter your host http://127.0.0.1:8081

Enter your server ID (default is localhost, but can be setup with a proxy in front of several servers, each with their own server ID)

Click Add
Important

Enabling the API

To enable the API, the webserver and the HTTP API needs to be enabled. Add these lines api=yes and api-key=changeme to pdns.conf and restart.

The following examples should start working:
1curl -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/api/v1/servers/localhost
1curl -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/api/v1/servers/localhost/zones
Azure
To add an Azure DNS provider, complete the following steps:

Enter your Subscription Id

Enter your Resource group name

Enter your App Id

Enter your Password

Enter your Tenant Id

Azure CLI

The Azure CLI is a command-line tool that allows you to manage and interact with Azure resources, including the ability to get the necessary accounts and tokens required to interact with Azure. This is used to create a service principal, which will be used to get credentials used for authentication.

You can either use the Azure Cloud Shell or install the Azure CLI locally

Cloud Shell

The Azure Cloud Shell is an in-browser terminal interface that allows you to execute Azure CLI commands without installing the Azure CLI locally

Go to https://shell.azure.com

Azure CLI Local Install
Install the Azure CLI: Azure CLI

Login with az login

Select your active Azure subscription with:
1az account set -n {name of your sub}
Service principal

A service principal is an Azure account that allows you to perform actions on Azure resources. A service principal is like a system account that can have roles assigned to it and can be used to get authentication tokens.

Tip

More info here: Azure service principal

Create the service principal

In Azure CLI, type the following command:
az ad sp create-for-rbac --role Contributor
The resource group name can be found here:

The subscription Id can be found here:

Important

The app used for DNS must have at least the contributor role to have the correct rights.
UltraDNS

To add a UltraDNS provider, complete the following steps:

Enter your username

Enter your password

Note

The minimum rights needed for the API ONLY USER are as follows:

List zones

View zone details

List records

View record details

Add/update/delete records

Google Cloud DNS
To add Google Cloud DNS as a provider, complete the following steps:

Create an account: Google Cloud Console or use an existing account to login to the Google Cloud Console

Create a new project or use an existing Google Cloud DNS project: Google Cloud DNS Project

Create a new Service Account or use an existing: Google Cloud Service Account

Download the private key in JSON format: Click the Service Account and go to the KEYS tab. Click Add key and Create new key, then select the JSON key type

The exported JSON key must then be uploaded to TrustView under the DNS integration section

Add the Project ID (which is not necessarily the same as the Project Name) to TrustView and click Add

Once Google Cloud DNS has been successfully added as a DNS provider, Click Update domain list to list all the added domains

If no domains have been created, they can be created from the Google Cloud Console: Create Google Cloud Domain

Permissions needed for the DNS Administrator role:
1dns.changes.create
2dns.managedZones.list
3dns.resourceRecordSets.create
4dns.resourceRecordSets.get
5dns.resourceRecordSets.update
File system

To add a file system-based DNS provider, complete the following steps:

Enter the directory to store the DNS records in (the directory entered here must be created manually on the server)

Enter the domain that the DNS provider is handling, e.g. example.org

Click Add domain

Enter and add additional domains if required

Click Add

Important

The directory prefix must be set in the configuration file; add dnsprovider.filesystem.pathprefix = "C://temp/" to the TrustView.groovy file. The example uses the C drive, but it could be any drive or directory.

Microsoft DNS
First the DnsServer Module must be installed, which can be obtained either by installing the DNS Server role or adding the DNS Server Tools, which is part of the Remote Server Administration Tools (RSAT) feature on the Windows server.

The DNS integration with Microsoft DNS requires a PowerShell script to be automated with Let’s Encrypt certificates.

The following TV-MicrosoftDNS.zip file contains 4 files. The file transferdnsrecords.ps1 is an optional file that can help transfer DNS TXT records, if the TrustView server and the DNS server are not domain joined and need to be moved between servers.

TV-MicrosoftDNS.zip

Once the files have been extracted, run the following PowerShell command to install the msdns.ps1 script as a Windows service and make it run in the background:
Install the Microsoft DNS service#
1C:\temp\TV-MicrosoftDNS> .\TrustView-MS-DNS-Service.exe install
Important

The file for the main script msdns.ps1 and the optional file transferdnsrecords.ps1 contains a set of parameters at the top of the script that need to be adjusted to fit your setup in terms of Zone name and credentials etc.

If you are using an internal DNS setup on your Windows server, you can in the TrustView.groovy configuration file point to an external DNS server, so the DNS TXT records can be validated by e.g. Let’s Encrypt. This can be done by adding the following line to the configuration file:
1staticAuthoritativeDnsIpList = "8.8.8.8,8.8.4.4"
TrustView will now attempt to validate the DNS challenges, based on these IPs for Google public DNS.