Tools implementing deSEC

peter · April 1, 2020, 10:00pm

In this post, we keep a list of deSEC-aware software that we have knowledge of.

Note: This does not imply any endorsement by deSEC. We also do not evaluate whether the tools listed here implement sensible security measures, nor do we know whether these programs hold what they promise. The list is merely meant as an inspiration for digging deeper into the deSEC ecosystem.

dynDNS clients

Nesos-ita/DynamicDnsUpdater

Integrations

DNS orchestration

DNSControl (DNS as code)
Terraform (DNS as code)

ACME clients

Webserver in-built

deSEC module for Caddy

Other

Proxmox Virtual Environment, e.g. pvenode
Traefik supports deSEC through lego (see ablove). Previously, there was this extra module: Traefik dedyn-dns01 (now superseded)

General purpose API clients

Libraries

desec (Go)
desec (PyPI) (Python)
desec (npm) (JavaScript)
desec-php (PHP)

Command-line Interface (CLI)

desec-dns-api-cli (Python CLI)
desec-dns (Python CLI with TLSA support)
My1/MugenDNS (PHP GUI)

To extend this list, please reply to this post, and after short inspection we may include your suggestion in the list.

d3luxee · April 25, 2020, 8:03pm

dnscontrol will also get support for desec: https://github.com/StackExchange/dnscontrol/issues/724

peter · April 25, 2020, 9:59pm

Hi d3luxee,

Support was just merged into DNSControl, so I added it to the above list. Thanks for the contribution!

Stay secure,
Peter

vika · May 12, 2020, 10:37pm

Lego (an ACME client) has deSEC support too now! I filed the issue asking them to implement it, and the next day it was done: https://github.com/go-acme/lego/issues/1140

ldez · May 15, 2020, 1:54pm

Hello,

I created a Go client: https://github.com/nrdcg/desec/

You can also remove Traefik dedyn-dns01 as Traefik support deSEC natively (through lego)

https://docs.traefik.io/v2.2/https/acme/#providers

peter · May 15, 2020, 2:28pm

Hi vika, ldez,

Thanks for your contributions! This is really great to see <3 I’m making the corresponding changes to the list.

Stay secure,
Peter

xengi · June 1, 2020, 11:51am

Thx for adding my stuff.

I’m currently finishing up the python API wrapper. I’ll release the first 1.0 beta in a couple of days.

After that I’ll continue working on the ansible modules. So feel free to test the desec-dns-api library and give feedback.

Taras · July 17, 2023, 11:11pm

Hi,
I just uploaded my PHP library to connect to deSEC API.

peter · July 17, 2023, 11:43pm

Hi Taras,

Thanks for your contribution! I’ve added it to the top post of this thread.

Stay secure,
Peter

strawberry · November 5, 2023, 5:10pm

Hi! I found a Caddy module that supports DNS ACME challenge using a deSEC API token: GitHub - caddy-dns/desec: deSEC module for Caddy

peter · November 6, 2023, 6:46pm

Hi strawberry,

Thanks, I added it to the list!

Stay secure,
Peter

RonObvious · November 12, 2023, 4:04pm

desec-dns-api does not exist anymore on pypi. A relatively new project appeared at desec.

peter · November 13, 2023, 2:20pm

Thanks, RonObvious, I made these changes!

Stay secure,
Peter

WhyNotHugo · November 20, 2023, 1:08am

The repository is marked as archived and the project is in readonly mode. Looks like PyPI releases have all been yanked too. This should be marked as unmaintained or abandoned.

peter · November 20, 2023, 9:16am

Hi WhyNotHugo,

Thanks for your message, and welcome to deSEC!

I verified your report, and removed the unmaintained link from the collection.

Stay secure,
Peter

jonkad · June 20, 2024, 2:22pm

Hi everyone,

I’m excited to share with you a small script I’ve developed to simplify the process of updating TLSA records from Plesk. You can find the script on GitHub at this link: Plesk-DANE-TLSA-and-deSEC

TLSA records are an essential part of ensuring secure communication over the internet, particularly for services like email and web servers. However, managing these records manually can be cumbersome, especially for those using Plesk as their hosting control panel.

With this script, I aimed to streamline the process, allowing Plesk users to update their TLSA records seamlessly. By integrating with deSEC DNS service, the script automates the update process, saving time and effort for administrators.

I encourage you to check out the script on GitHub, where you can find detailed instructions on how to use it and contribute to its development. Whether you’re a Plesk user looking to enhance your server’s security or a developer interested in improving the script, your feedback and contributions are highly appreciated.

Thank you for your support, and I hope you find the script useful!

Best regards,
Jonathan

WhyNotHugo · July 18, 2024, 3:24pm

I wrote a tiny program in go that reads a zone file and writes all of its records using the API: ~whynothugo/zone2desec - Write a zone file to desec.io - sourcehut git

I like to keep my domain definitions in zone files (which are pretty standard). This lets my use the zone file as source of truth and writes to deSEC any changes.

Currently it won’t delete records that are removed from the zone file. I might add a --prune flag to do this in future.

mdbraber · July 19, 2024, 12:25pm

Are there any tools who fully implement a TLSA rollover by using a current+next private key? Most implementation seem to ‘just’ publish a single TLSA record without providing a current-next rollover as suggested (see https://imrryr.org/~viktor/ICANN61-viktor.pdf, slides 20+21). A single TLSA record would mean possible downtime when renewing certificates.

I’ve found this, in combination with acme.sh and the --force-new-domain-key option:
GitHub - nixigaj/cf-tlsa-acmesh: A simple Go program that lets you automate the updating of TLSA DNS records with the Cloudflare v4 API from acme.sh generated keys, including a rollover (next) key.. I’ve recently rewritten this to be more generally used with any libdns provider, which includes desec. I’ll upload that after I get back from my holiday.

Also it would be great to have Caddy implement current-next key rollover; I’ve submitted an issue to create a PR here: Allow Certmagic to generate 'next' private key to allow safe TLSA/DANE deployment and rollover · Issue #294 · caddyserver/certmagic · GitHub which shouldn’t be too hard to implement.

If there are any other good TLSA rollover options (besides acme.sh) I’d love to hear!

black · July 19, 2024, 8:42pm

Not exactly what you are looking for and somewhat more complex, but there is this:

github.com

s-hamann/firecracker-tools/blob/main/examples/rootfs/acme.md

acme.rootfs
===========

This is a full example for a virtual machine that can be used to keep X.509
certificates of multiple systems up-to-date. It handles requesting or renewing
private keys and certificates, solving DNS challenges, deploying keys and
certificates and updating TLSA records.
Certificates are stored persistently, but private keys are not. They are kept
solely in memory.

When the machine starts, it performs the following steps:
 1. Check for certificates that are missing or about to expire soon
 2. Generate a new key pair for these certificates
 3. Generate a new CSR for these certificates
 4. Requests new certificates using the ACME protocol
 5. Prove domain ownership using the DNS challenge method
 6. Update TLSA records (if any) to the new certificates, wait for the cached
    TLSA records to expire
 7. Deploy the new keys and certificates to the systems that need them
 8. Wait until the target systems use the new certificates

This file has been truncated. show original

This provides certificate renewal and TLSA key rollover as an application for MicroVMs. It shouldn’t be too hard to port this to a more traditional environment if you don’t like MicroVMs.