DNS challange: Support for Azure Private DNS

[schwarzzz]

We have an internal PKI infrastructure and a private ACME server for generating certificates for private DNS names (e.g. mycompany.internal).
"Sub zones" are managed in a decentralized way (i.e. permissions for domain1.mycompany.internal are delegated to Team A, domain2.mycompany.internal is delegated to Team B, etc.)

We'd like to enable DNS challange for generating certificates.

Looking at Posh-ACME's Azure DNS plugin, it looks like only public DNS zones are supported. (In Azure, Public and Private DNS feel almost identical but use different resource types (Microsoft.Network/dnszones vs. Microsoft.Network/privateDnsZones).

It would be great to see support for private DNS zones in Posh ACME (either in the current plug-in or a dedicate one)...

[webprofusion-chrisc]

Out of interest, why would you use a DNS challenge if your acme server is also private? You could instead pre-authorize internal ACME accounts for specific domains, for instance.

[schwarzzz]

We're already using pre-authorized internal ACME accounts. But since we only have a single endpoint for the whole company, it would be possible for someone from domain1 to request a certificate for domain2.company.internal. We want to avoid that.

Hence the idea of a DNS challange...

[rmbolger]

Assuming the API surface is roughly the same, it probably wouldn't be too hard to add a switch that changes the target resource type such as AZPrivateDns. I don't have a ton of time to look at it right now, but I'll keep it on the list for when I do.