- Use HTTP-01 challenge for run-of-the-mill certificates
- White label domains can acquire their own wildcard certificates
- VMware employees have access to *.sslip.io wildcard
- Use DNS-01 challenge for *.w-x-y-z.sslip.io wildcards
This DNS/HTTP server enables the procurement of wildcard certs for
sslip.io subdomains.
Drive-by:
- Removed the apostrophe from the initialized TXT string so that
cutting-and-pasting the string is less difficult (but the backslashes
and double quotes are still a pain).
- The DNS/HTTP server logs output when the TXT record is updated. We log
most actions, and this is perhaps the most important one, so it was an
oversight that we didn't log it.
`DEVELOPER.md` had the wrong tests (mostly missing newlines); that's
been fixed. Also, I added a new test for DNS records which contain
`_acme-challenge.`, which may enable users to generate wildcard certs
for their sslip.io domains.
We use the Alpine image; it's a lean 5.6 MB, and our 3 MB server keeps
it lean at below 9 MB.
Though we include instructions to build the Dockerfile, we plan to use
Docker Hub's automated builds feature.
When we released our new Golang-based DNS server, we had a banner that
said to let us know if anything breaks, but we neglected to tell them
_how_ to let us know. Now we include a link that opens a GitHub issue.
We describe how to run our pre-built executable within a docker
container. They can figure out the rest from there.
If they don't understand those instructions, they shouldn't be running
their own DNS server.
ns-vultr.nono.io is a bad nameserver because it's shut down for ~8 days
each month (when the unbelievable Singapore hunger for NTP uses up my
monthly allowance of 3TB)
Besides, three nameservers is enough.
We now introduce a second Dockerfile, `Dockerfile-nginx`, to be used for
the web assets for sslip.io.
It does not run TLS; we assume that the load balancer will take care of
that.
We also gussied-up the PowerDNS Dockerfile with minor changes.
- nodePort service is merely a proof-of-concept; this won't be the final
form the service takes. The port needs to be 53, not 32767.
- the deployment doesn't include the nginx webserver, merely the DNS
server. Also, I had trouble connecting both UDP & TCP to port 53,
so I chose UDP.
- Include BIND secondaries for nono.io/nono.com
(use this & you'll be unwitting secondaries for my domains)
- Fedora-based. Because IBM/Red Hat hires a lot of the Linux kernel developers.
