Create a customized DNS script
Select the Add script option in the Custom DNS connector tile to use your own custom script to automate domain control validation. Create a script from scratch or customize and use one of the below sample scripts.
Copy and paste your script into the designated area when you fill out the form to add the DNS integration.
Create a DNS script for Windows
For Windows, you need two scripts to prove your control over the domains: DNS .bat
script and embedded PowerShell postscript (.ps1, .py, .ps,
or other format).
Create an embedded DNS PowerShell postscript:
Open a text editing tool such as Notepad.
Define the login credentials, DNS challenge, and exit codes.
Save the file with
.ps1, .py, .ps
, or other format.Note
Remember to note the location.
Create a DNS script:
Open a text editing tool such as Notepad.
Define the PowerShell postscript file location path, argument to pass the DNS challenge, and exitcodes.
Create a DNS script for Linux
For Linux, you need to a DNS .sh
script to prove your control over the domains.
. Open a text editing tool such as Notepad.
Define the login credentials, DNS challenge, and exit codes.
Save the file with the
.sh
extension.Note
Remember to note the location.
Sample scripts
The following sample scripts show how a custom DNS-based domain validation challenge might work for AWS Route 53. Use these scripts as a starting point to help craft your own custom domain validation scripts for DNS services that do not have existing connectors in Trust Lifecycle Manager.
AWS - Postscript DNS PowerShell (.ps1)
#ensure AWS PStools are installed incl #https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up-windows.html #Install-Module -Name AWS.Tools.Installer #Install-AWSToolsModule AWS.Tools.Route53 #Set-AWSCredential -AccessKey <accesskey> -SecretKey <secretkey> -StoreAs TestDNSProfile Import-Module AWSPowerShell Function Set-R53Record { # Entry parameters Param ( [Parameter(Mandatory=$True)] [String]$Profile, [Parameter(Mandatory=$True)][String]$Domain, [Parameter(Mandatory=$True)][String]$Type, [Parameter(Mandatory=$True)][String]$Name, [Parameter(Mandatory=$True)][String]$Value, [Int]$TTL = 300, [String]$Comment ) $DomainDot = $Domain + "." # Create two objects for R53 update $Change = New-Object Amazon.Route53.Model.Change $Change.Action = "UPSERT" # CREATE: Creates a resource record set that has the specified values. # DELETE: Deletes an existing resource record set that has the specified values. # UPSERT: If a resource record set doesn't already exist, AWS creates it. If it does, Route 53 updates it with values in the request. $Change.ResourceRecordSet = New-Object Amazon.Route53.Model.ResourceRecordSet $Change.ResourceRecordSet.Name = "$Name.$Domain" $Change.ResourceRecordSet.Type = $Type $Change.ResourceRecordSet.TTL = $TTL # For TXT-based DNS challenges, value must be in quotes $challengeValue = if ($Type -eq "TXT") {"""$Value"""} else {$Value} $Change.ResourceRecordSet.ResourceRecords.Add(@{Value=$challengeValue}) # Get hosted zone $HostedZone = Get-R53HostedZones -ProfileName $Profile| Where-Object { $DomainDot.EndsWith($_.Name) } Write-Output "Found HostedZone:$HostedZone" # Set final parameters and execute $Parameters = @{ HostedZoneId = $HostedZone.Id ChangeBatch_Change = $Change # Object ChangeBatch_Comment = $Comment # "Edited A record" } return Edit-R53ResourceRecordSet -ProfileName $Profile @Parameters } if($args.Length -ne 1){ Write-Output "Args not found" exit -1; } $fileInput = Get-Content $args[0] if ($fileInput.Length -lt 3){ Write-Output "File not found" exit -1; } $tempDomains = $fileInput[0].Split(",") $challenge = $fileInput[2] $domains = @() foreach ($d in $tempDomains) { if ("$d" -ne "null") { Write-Output $d $domains = $domains += $d } } foreach ($domain in $domains) { Set-R53Record -Profile DNSProfileName -Domain $domain -Type "TXT" -Name "_dnsauth" -Value $challenge -TTL 86400 -Comment "DNS challenge for $domain" }
AWS - Script DNS .sh
#!/usr/bin/bash set_R53_Record(){ Profile=$1 Domain=$2 Type=$3 Name=$4 Value=$5 TTL=$6 Comment=$7 DomainDot="$Domain." echo "Profile:$Profile Domain:$Domain" HOSTEDZONEID=$(/usr/local/bin/aws route53 list-hosted-zones --profile $Profile | jq '.HostedZones | .[] | select(.Name|inside('\"$DomainDot\"')) | .Id' | tr -d '"') cat > change-batch.json << EOL {"Comment":"$Comment","Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"$Name.$Domain","Type":"$Type","TTL":$TTL,"ResourceRecords":[{"Value":"\"$Value\""}]}}]} EOL /usr/local/bin/aws route53 change-resource-record-sets --hosted-zone-id $HOSTEDZONEID --profile $Profile --change-batch file://change-batch.json } if [ "$#" -ne 1 ]; then echo "Args not found" exit -1; fi IFS=$'\n' read -d '' -r -a lines < $1 if [ ${#lines[@]} != 3 ]; then echo "File not found" exit -1; fi challenge=${lines[2]} IFS=',' read -ra domains <<< "${lines[0]}" for domain in "${domains[@]}"; do set_R53_Record default $domain "TXT" "_dnsauth" $challenge 86400 "DNS challenge for $domain" done
Exit codes
Every program you start terminates with an exit code and reports it to the operating system. An exit code, sometimes known as a return code, is the code returned to a parent process by an executable.
Exit code | Description |
---|---|
0 | Successful execution of the script. |
1 | Failed to execute the script for any reason. |