Restricted API keys (for dns-01 verification)

Hi people,

In light of the recent compromise, it became clear how weak our TLS ecosystem really is.

One proposed fix is to only allow certificate renewal via ACME using the dns-01 method, but since it (typically) relies on full access to the DNS zones, many people are reluctant to use it (do you really want to give full control over your DNS to your webserver?)

The proposed fix is to be able to issue restricted API keys that only have write access to some records in the zone (e.g. only some records/trees, only TXT records, or even TXT records with specific content).

So, I would like for the DeSEC staff to actually consider adding support for such a feature.

Hi wildylion,

Thank you for your message, and welcome to deSEC! :slight_smile:

Please see this thread: Restricted access tokens for letsencrypt dns challenge

Stay secure,

Thank you very much.

I’m very glad to see this is actually progressing.