diff options
| author | pommicket <pommicket@gmail.com> | 2025-09-30 21:40:00 -0400 |
|---|---|---|
| committer | pommicket <pommicket@gmail.com> | 2025-09-30 21:40:00 -0400 |
| commit | 94fcea0c9c3cd13b529b4f469ff4d61e6216453d (patch) | |
| tree | 4e53a223d4efadc71ad01eac785dcfbfa6786826 | |
| parent | ace19b98f7e3250d4520a4b893d4aeabe58118c7 (diff) | |
| -rw-r--r-- | README.md | 22 |
1 files changed, 22 insertions, 0 deletions
@@ -2,6 +2,7 @@ Very simple DDNS client with support for +- IPv4 and IPv6 - Linode, DigitalOcean, and AWS Route 53 providers. - Allows obtaining IP address via any shell command. - Customize TTL, API call interval & timeout. @@ -12,6 +13,27 @@ Then run `simpleddns --setup` to create a configuration interactively. Lastly run `simpleddns` to start the DDNS client. Currently only Unixy platforms are supported (i.e. not Windows, but maybe WSL or MinGW or something). +## Security: CAA record + +If you want to run an HTTPS server under simpleddns, +(or think that someone might *believe* that there is an HTTPS server + on your domain) +make sure you create a [CAA record](https://letsencrypt.org/docs/caa/) +that doesn't allow http-01 challenges. +By default, simpleddns fails if no such record exists. +Otherwise, anyone who can interfere with your IP-getting command such as + +- the web site you're using to query your IP +- any internet infrastructure between you and that web site + (NB: TLS does **not** save you from IP address tampering) + +**can maliciously issue perfectly valid certificates for your domain!!** + +If you are not using an internet service to query your public IP +and you're instead getting it by trusted means, or +if you're using some random (sub)domain no one will try to access via HTTPS, +then you don't have to worry about any of this +and can set `allow_no_caa = True` in your configuration. ## Alternatives |