crush depth

Pork Vultures

I was using Vultr DNS to serve DNS records for my various VPS instances up until the point where I wrote and deployed certusine to manage ACME-issued certificates using DNS challenges.

The issue with Vultr DNS at the time was that Vultr required the use of API keys to use their API. Normally, this wouldn't be a problem, except that it turned out that (at the time) there was no way to restrict the capabilities of API keys.

Consider this: You run a service on a Vultr-hosted VPS that has access to the API key. That VPS is compromised, somehow. The person compromising the VPS now has the capability to destroy all of your VPS instances with just a few API calls. Worse, the person compromising the VPS has the ability to start up and use any number of VPS instances (up to your account's configured spending limit).

Obviously, this was a level of risk that was unacceptable to me. I've been using Gandi as a domain registrar for a very long time now, and it turned out that they offered free DNS hosting along with an API to manipulate records. I implemented support for Gandi DNS in certusine and have been using it up until now.

Unfortunately, about a week ago, API calls started returning 500 error codes. I contacted Gandi's technical support and they still haven't bothered to respond.

It turns out that Gandi were bought by another company in early 2023, immediately jacked up prices, and have apparently let their technical side fall apart.

After trying and failing to find any other good alternative for DNS hosting, I accidentally stumbled across an article about Vultr sub-accounts. It turns out that Vultr have added a mechanism to create new users within a given account. The permissions of those users can be restricted in a fairly fine-grained way, and those users can have their own API keys. Essentially, I can create a user that only has access to DNS records and no other account functionality, issue them an API key, and then use Vultr's DNS service without the risk of a leaked API key being utterly catastrophic.

I'll be moving all of my DNS records back over to Vultr DNS, releasing a new certusine version with improved Vultr support, and switching to Porkbun as my domain registrar.