ACME Support

[pwinkeler]

As we all know, SSL Certificate lifetimes are getting shorter and thus automating their renewals is front and center. There are a number of ways to automatically prove domain ownership to a certificate authority but many of them require the automated creation of DNS records. Would it be possible to create a plugin for this ecosystem that uses Netbox APIs to create the required record in Netbox DNS which could then publish it out via one of the other DNS integration plugins?

[peteeckel]

Hi @pwinkeler,

tl;dr: It can be done, it's simple, but it could be wasted effort.

Solution Options

It is very simple to add or change DNS records, either from a plugin, or a custom script, a Python program using pynetbox (which I would prefer for the use case), or the REST API.

• In a plugin, just import Record from netbox_dns.models and at least RecordTypeChoices from 'netbox_dns.choices' and you're ready to go.
• In a custom script you can do pretty much the same to access the NetBox DNS models.
• When you are using pynetbox, you can also access plugin objects using the API by using nb.plugins.netbox_dns.record.(create|update|delete|...) (assuming nb is your pynetbox.api session object).
• The REST API-Endpoint /api/plugins/netbox-dns/records/ supports GET, POST, PATCH etc. (actually that's what pynetbox uses.

Bottom line: Depending on the functionality you need, there are many ways to choose from. Which is good (and one of the reasons I really like NetBox).

Why I still wouldn't do it (unless there's a very good reason)

DNS-01

Currently the ACME protocol supports the DNS-01 challenge (among others not relevant here). The idea is that the ACME server sends you a token and you put it into a DNS record to prove your ownership of the zone.

That approach has some shortcomings:

• Zones need to be dynamic, or at least one does, when you insert CNAME records into the others. This may or may not be acceptable - at the very least securing an external production zone for limited access to dynamic updates adds some overhead to remain safe. The plugin you're suggesting overcomes that problem, I guess that's where the idea comes from.
• DNS causes some delay with regard to zone propagation, especially with highly active dynamic zones. This may cause certificate renewals to fail initially.

DNS-PERSIST-01

That's why a new validation method is currently being phased in. The idea behind DNS-PERSIST-01 is to put a static record into your DNS zone that defines the CA authorised to sign certificates for names in the zone, the ACME account that is used to request them, and optionally a lifetime and an issuance policy.

That way, you can add a DNS record with a sensible TTL once and you're fine. No more dynamic DNS updates.

Securiry-wise, you now need to really make sure that your ACME account key doesn't get compromised. On the other hand, there's no more necessity to have API or TSIG keys for write access to your DNS zones floating around, so that's probably a draw.

Time Horizon

Let's Encrypt is rolling out ACME DNS-PERSIST-01 in the immediate future in staging, and in the next few months in production. Chances are that your pain will go away before your solution is finished.

[peteeckel]

Additional information by LE: https://letsencrypt.org/2026/02/18/dns-persist-01

[pwinkeler]

Thanks Peter, for that very insightful response. The new persistent DNS record approach obviates the need for such dynamic update tooling so I will cool my heels and focus my development work elsewhere. PaulW

…

On Mar 20, 2026, at 09:10, Peter Eckel ***@***.***> wrote: Additional information by LE: https://letsencrypt.org/2026/02/18/dns-persist-01 — Reply to this email directly, view it on GitHub <#802?email_source=notifications&email_token=AC3M34JUHMY367OQZYGE5OT4RU7MJA5CNFSNUABIM5UWIORPF5TWS5BNNB2WEL2ENFZWG5LTONUW63SDN5WW2ZLOOQXTCNRSGI3DCOBQUZZGKYLTN5XKO3LFNZ2GS33OUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#discussioncomment-16226180>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC3M34LGT3AF7WWJWO67Z7T4RU7MJAVCNFSM6AAAAACWYSGVNGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTMMRSGYYTQMA>. You are receiving this because you were mentioned.