Weeknotes 236

4th January, 2026

“ACME challenge”

A thousand apologies to those whose Monday back at work was unbearable without these weeknotes. I am but human.
The converter for my Kaweco Brass Sport arrived as did a broader nib and I’m now much happier writing with this pen.
Starlink to Shift LEO Ultrafast Broadband Satellites into a Lower Orbit

By the end of July 2025 Starlink’s global network had 6 million customers and 110,000 of those were in the UK (up from 87,000 in 2024) – mostly in rural areas.

I was surprised at how many customers Starlink has in the UK.
CartoArt – this is cool to create high-quality map posters.
Year Compass

New year’s resolutions don’t work. YearCompass does - for more than a million people around the world since 2012.

I downloaded this and then failed to complete it. Happy New Year.
After feeling like I was getting somewhere with my Home Automation setup I regret to inform you that things broke in bigly ways.

In an attempt to fix all the things I went on upgrade spree.

First, I bumped up Zigbee2MQTT to the latest version, and then turned my attention to the firmware(s) running on the SLZB-06M. The SLZB-06M has two different firmwares which I found a bit confusing initially. It has Core/OS and Over-the-air (OTA). Core/OS, as you might have guessed, handles the actual OS running on the device and affects the web UI etc. The other is for the Zigbee networking stuff.

Updating the Zigbee firmware through the web UI worked first time. The Core/OS firmware however kept failing with checksum errors. In the end I downloaded v3.1.3 and flashed it manually.

Things did not get better. I’m not sure what’s going on.
Where is Bitcoin? – where indeed.
National Park Typeface

Capturing the charm of the router-carved type ubiquitous in America’s national parks, without sacrificing legibility or versatility.

Via Robb Knight.
I am no closer to having a proper FQDNs for my local services, but I have been thinking about how I can secure them using SSL/TLS.

I could create my own self-signed certificates and distribute them to the few devices that I would be using to access the services but that does seem like a hassle. I mean, this whole thing is a hassle, but a different kind of hassle.

Instead of self-signed I have been trying to absorb how Certificate Authorities like Let’s Encrypt work. I remember when Let’s Encrypt was launched and how much of a big deal it apparently was, but similar to how I only start liking a band 20 years after they were cool only now am I cottoning on. I’ve been using Let’s Encrypt indirectly for some time. This website uses Let’s Encrypt certificates but Netlify take care of everything and I have/had no idea how it worked.

Let’s Encrypt only issue certificates to domains you control, and you prove you control the domain via an ACME challenge. The most common challenge is HTTP-01 where they look for a token you host on your website. Once they find and validate the token they will issue you a certificate. Because my services are not publicly available (they are only accessible via Tailscale) I was under the impression I couldn’t use something like Let’s Encrypt to issue certificates because they would be unable to perform this automated check.

Then I discovered the DNS-01 challenge. This works in a similar way but instead of checking for a file with a token, they will look for the token in your DNS records for the domain. So if you have an automated way to create TXT DNS records you can prove you control the domain. Perfect for my scenario.

One of the ways ACME challenges are automated is through your web server or reverse proxy software. For example, Caddy will act as an “ACME client” and perform all these steps for you automatically. You give Caddy a file to create TXT DNS records on your behalf and it will do so. This is usually facilitated by giving Caddy an access token to use with your DNS provider’s HTTP API.

I have not set any of this up yet, but it does sound pretty good so far, right? Create an access token for your DNS provider’s API, give the token to Caddy, Caddy does the ACME dance, certificate is issued, profit.

However, most providers do not provide scoped access tokens. So when you create an access token you’re often giving that token full power to CRUD the shit out of all the DNS records for ALL THE DOMAINS that you host with that provider!

Now, the risk of token leak is small, but if it did happen, the consequences are potentially massive. If some nefarious actor got access to my DNS records very bad things could happen. They could start writing more interesting weeknotes for one, but worse still, they could do something like change my MX records and take over my email. Once someone has your email it’s game over, man. Keys to the kingdom.

So this poses a problem. If I don’t want to have an access token that gives full access to my DNS records lying about on my web server, what to do? Well some providers provide so called scoped access tokens of various granularity. It would be better if you could say “this token can only create x record for y domain”.

I use DNSimple and scoped access tokens are unfortunately only available on the Teams plan and above. I’ve only got a handful of domains, so paying $29 USD/month is not feasible for me. (I get it, gotta make money, but it’s frustrating when trying to do Good Security ™ and the features to help you do so are shuttered away behind more expensive plans.)

It seems to me there are three ways forward:
1. Use a completely different domain name with a different DNS provider. This completely isolates the domain, and as such access token so none of the important domains are reachable.
2. Move all my domains to a different DNS provider such as Cloudflare who do support scoped access tokens on all plans (although I’ve been unable to independently verify that – if you know, please tell me).
3. Use a completely different domain name with a different DNS provider and setup a CNAME to delegate to it for ACME challenges. This says “ask foo.com if I own bar.com”. This has the same practical effect as the other options to various degrees though.
I’m leaning towards getting a new domain. Simplest solution.
Related: trying to buy any sort of decent domain name is so depressing. Anything short is just gone, even random characters at obscure TLDs.