PowerDNS / TSIG - DNS Provider

[JustinBack]

PR #5912 Opened

External CA support is currently limited to AWS, Azure, DigiCert, and Cloudflare. This request proposes the addition of PowerDNS API
support or, ideally, broader TSIG support to allow for more flexible DNS provider integration.

---

PowerDNS Server/Admin API Details

https://doc.powerdns.com/authoritative/http-api/zone.html

PowerDNS-Admin often serves as a proxy to the PowerDNS API, translating the /api/v1 path to the root / on the PowerDNS Server.

• Example Mapping: https://powerdns-admin/api/v1/servers/localhost/zones/acme.corp. maps to https://your-powerdns-server/servers/localhost/zones/acme.corp

To support both direct and proxied configurations, the implementation should allow for a configurable base URL.

Configuration Examples:

• POWERDNS_BASE_URL=https://powerdns-admin/api/v1
• POWERDNS_BASE_URL=https://your-powerdns-server

---

Implementation Logic: Record Management

The following operations demonstrate how to manage ACME challenge records for a domain (e.g., acme.corp) via the API.

1. Create or Update Record

To create or update a record, use a PATCH request with the REPLACE changetype.

curl --request PATCH \
  --url https://dns.example.corp/api/v1/servers/localhost/zones/acme.corp. \
  --header 'Content-Type: application/json' \
  --header 'x-api-key: YOUR_API_KEY' \
  --data '{
	"rrsets": [
		{
			"name": "_acme-challenge.acme.corp.",
			"type": "TXT",
			"ttl": 60,
			"changetype": "REPLACE",
			"records": [
				{
					"content": "\"your-acme-token-value\"",
					"disabled": false
				}
			]
		}
	]
}'

• Success (204): Returned upon successfully inserting or updating the entry.
• Error (422): Returned if an invalid value is provided.

2. Delete Record

To remove the record after validation, set the changetype to DELETE.

curl --request PATCH \
  --url https://dns.example.corp/api/v1/servers/localhost/zones/acme.corp. \
  --header 'Content-Type: application/json' \
  --header 'x-api-key: YOUR_API_KEY' \
  --data '{
	"rrsets": [
		{
			"name": "_acme-challenge.acme.corp.",
			"type": "TXT",
			"changetype": "DELETE"
		}
	]
}'

• Success (204): Returned upon deletion. Note that PowerDNS does not check for the existence of the record before deleting; a request to delete a non-existent record still results in a 204.

3. List Zones

I've seen that other DNS Providers have a "Select Zone" feature implemented. It seems that it's not possible in PowerDNS Admin to use the Proxy Route to list zones due to permissions and PowerDNS Admin uses a separate API. Best solution would be to have an input for the zone name just like Route53, not a selector

---

If access for development to a PowerDNS server is required, please let me know :-)