You can make the NS record for the _acme-challenge.domain.tld point to another server which is under your control, that way you don't have to update the zone through your DNS hoster. That server then only needs to be able to resolve the challenges for those who query.
1. Your main domain is important.example.com with provider A. No DNS API token for security.
2. Your throwaway domain in a dedicated account with DNS API is example.net with provider B and a DNS API token in your ACME client
3. You create
_acme-challenge.important.example.com not as TXT via API but permanent as CNAME to
_acme-challenge.example.net or
_acme-challenge.important.example.com.example.net
4. Your ACME client writes the challenge responses for important.example.com into a TXT at the unimportant _acme-challenge.example.net and has only API access to provider B. If this gets hacked and example.net lost you change the CNAMES and use a new domain whatever.tld as CNAME target.
This has blown my mind. Its been a constant source of frustration since Cloudflare stubbornly refuses to allow non-enterprise accounts to have a seperate key per zone. The thread requesting it is a masterclass in passive aggressiveness:
Could you elaborate on the separate key per zone issue? It's possible to create different API keys which have only access to a specific zone, and I'm a non-enterprise user.
I used the acme-dns server (https://github.com/joohoi/acme-dns) for this. It's basically a mini DNS server with a very basic API backed with sqlite. All of my acme.sh instances talk to it to publish TXT records, and accepts queries from the internet for those TXT records.
There's a NS record so *.acme-dns.example.com delegates requests to it, so each of my hosts that need a cert have a public CNAME like _acme-challenge.www.example.com CNAME asdfasf.acme-dns.example.com which points back to the acme-dns server.
When setting up a new hostname/certificate, a REST request is sent to acme-dns to register a new username/password/subdomain which is fed to acme.sh. Then every time acme.sh needs to issue/renew the certificate it sends the TXT info to the internal acme-dns server, which in turn makes it available to the world.
You can cname _acme-challenge.foo.com to foo.bar.com.
Now, if when you do the DNS challenge, you make a TXT at foo.bar.com with the challenge response, through CNAME redirection, the TXT record is picked up as if it were directly at _acme-challenge.foo.com. You can now issue wildcard certs for anything for foo.com.
I have it on my backlog to build an automated solution to this later this year to handle this for hundreds of individual domains and then put the resulting certificates in AWS secrets manager.
I'm going to also see if I can make some sort of ACME proxy, so internal clients authenticate to me, but they cant control dns, so I make the requests on their behalf. We need to get prepared for ACME everywhere. In May 2026, its 200 day certs, it only goes down from there.
In my case I have a very small nameserver at ns.example.com. So I set the NS record for _acme-challenge.example.com to ns.example.com.
An A-record lookup for ns.example.com resolves to the IP of my server.
This server listens on port 53. It is a custom, small Python server using `dnslib`, which also listens on port let's say 8053 for incoming HTTPS connections.
In certbot I have a custom handler, which, when it is passed the challenge for the domain verification, sends the challenge information via HTTPS to ns.example.com:8053/certbot/cache. The small DNS-server then stores it and waits for a DNS query on port 53 for that challenge to come in, and if it does, it serves it that challenge's TXT record.
elif qtype == 'TXT':
if qname.lower().startswith('_acme-challenge.'):
domain = qname[len('_acme-challenge.'):].strip('.').lower()
if domain in storage['domains']:
for verification_code in storage['domains'][domain.lower()]:
a.add_answer(*dnslib.RR.fromZone(qname + " 30 IN TXT " + verification_code))
The certbot hook looks like this
#!/usr/bin/env python3
import ...
r = requests.get('https://ns.example.com:8053/certbot/cache?domain='+urllib.parse.quote(os.environ['CERTBOT_DOMAIN'])+'&validation-code='+urllib.parse.quote(os.environ['CERTBOT_VALIDATION']))
That one nameserver-instance and hook can be used for any domain and certificate, so it is not just limited to the example.com-domain, but can also deal with challenges for let's say a *.testing.other-example.com wildcard certificate.
And since it already is a nameserver, it might as well serve the A records for dev1.testing.other-example.com, if you've set the NS record for testing.other-example.com to ns.example.com.
It's time for DNS providers to start supporting TSIG + key management. This is a standardized way to manipulate DNS records, and has a very granular ACL.
General note: your DNS provider can be different from your registrar, even though most registrars are also providers, and you can be your own DNS provider. The registrar is who gets the domain name under your control, and the provider is who hosts the nameserver with your DNS records on it.
no you don't, you can just run https://github.com/joohoi/acme-dns anywhere, and then CNAME _acme_challenge.realdomain.com to aklsfdsdl239072109387219038712.acme-dns.anywhere.com. then your ACME client just talks to the ACME DNS api, which let's it do nothing at all aside from deal with challenges for that one long random domain.
You can do it with an NS record, ie _acme_challenge.realdomain.com pointing to the DNS server that you can program to serve the challenge response. No need to make a CNAME and involve an additional domain in the middle.
I've been hoping to get ACME challenge delegation on traefik working for years already. The documentation says it supports it, but it simply fails every time.
If you have any idea how this tool would work on a docker swarm cluster, I'm all ears.
Because users would pick an alternative solution that meets their needs when they don't have leverage or ability to change DNS provider. Have to meet users where they are when they have options.
This concerned me greatly so I use AWS Route53 for DNS and use an IAM policy that only allows the key to work from specific IP addresses and limit it to only create and delete TXT records for a specific record set. I love when I can create exactly the permissions I want.
AWS IAM can be a huge pain but it can also solve a lot of problems.
It's a bit of a pain in the ass, but you can actually just publish the DNS records yourself. It's clear they are on the way out though as I believe it's only a 30 day valid certificate or something.
I use this for my Jellyfin server at home so that anyone can just type in blah.foo regardless of if their device supports anything like mDNS, as half the devices claim to support it but do not correctly.
Is having one key per zone worth paying money for? It's on the list of features I'd like to implement for PTRDNS because it makes sense for my own use case, but I don't know if there's enough interest to make it jump to the top of this list.
Hurricane Electric support a hidden primary as part of their free DNS nameserver service (do you actually want to expose your primary when someone else can handle the traffic?)
Yup, but it's a bit of a dance for bootstrapping, since they require you to already have delegated to them, but some TLDs require all NSes to be in sync and answer for the domain before delegating…
I just need one that can repeatedly say “I want talk to a representative” and when a representative answers “I would like to escalate to your manager”. After that a human on the loop is needed.
This is the wrong view. It's more like "Soon, everyone will be able to go from idea to a prototype". IMO, there's a different value perception when people can use concrete things even if they are not perfect. This is what I like about end-to-end vibe coding tools.
I don't see a non developer using Claude Code but I can totally see them using Github Spark or any similar tool. After that, the question is how can I ensure this person can keep moving forward with the idea.
You know how the average dev will roll their eyes at taking over a maintenance of a "legacy" project. Where "legacy" means anything not written by themselves. Well, there will be a lot more of these maintenance takeovers soon. But instead of taking over the product of another dev agency that got fired / bankrupt / ..., you will take over projects from your marketing department. Apps implemented by the designers. Projects "kickstarted" by the project manager. Codebases at the point antropic / google / openai / ... tool became untenable. Most likely labelled as "just needs a little bit more work".
These LLM tools are amazing for prototypes. Amazing. I could not be anywhere near as productive for churning out prototypes as claude code is, even if I really tried. And these prototypes are great tools for arriving at the true (or at least slightly better) requirements.
Prototypes should get burned when "real" development starts. But they usually are not. And we're going to do much, much more prototyping in very near future.
> Apps implemented by the designers. Projects "kickstarted" by the project manager. Codebases at the point antropic / google / openai / ... tool became untenable. Most likely labelled as "just needs a little bit more work".
True, but not a new thing! You've never known true development pain until you're told something from another department "needs some help to get productionized", only to find out that it's a 300 tab Excel file with nightmarish cross-tab interdependencies and VBA macros.
Genuinely not sure if vibe coded Python would be an improvement for these type of "prototype" projects. They'll definitely continue to exist, though.
A friend got hired by a defense contractor to be the first developer on a new project! Greenfield developing! It turned out the project was here are 30,000 lines of Fortran77 written by two scientists who got Ph.Ds in Geology in ~1985, please make this do X, Y, and Z.
He left that job a week later. It never went on his resume or LinkedIn.
The prompts used to generate it might serve as a list of requirements, which would be helpful. If the codebase is an utter mess, rebuilding the app from prompts would be an option.
I have no idea whether these sorts of projects would be a rewrite or just tidying up, though. I haven't seen what happens when people with no coding experience prompt these. The code I've seen devs get LLMs to generate is usually okay enough to maintain. Not ideal, but workable.
Well… at least the vibe coded python codebase has better tooling. There are probably some cool tools for fixing rats nests of Macro’d Excel, but I’ve never found them.
> Prototypes should get burned [...] But they usually are not.
"There's nothing more permanent than a temporary solution that works"
I loved reading this blog post[0]. Everything starts with a spreadsheet and then instead of replacing it, people just keep building on top of it forever.
While I found the post funny to read, honestly I'm fine with all the mess. I'm happy to embrace it instead of forever polishing something that I will never ship.
Vibe coded apps are next level of mess though and people don't seem to recognise that while betting on 'AI will fix it later'.
What bums me out is the creativity of coming up with the idea and seeing it through. If the rest of my career involves cleaning up prototypes from PMs, designers and marketing, I will be a little sad.
Absolutely! AI coding is a communication lubricant. It enables non-technical people to express complex software ideas without the friction of asking a developer for help or even working with a no-code tool.
Software development doesn't occur in a vacuum -- it's part of a broader ecosystem consisting of tech writers, product managers, sales engineers, support engineers, evangelists, and others. AI coding enables each person in the org to participate more efficiently in the scoping, design, and planning phases of software development.
Instead of expecting anyone to raise their standards and learn the bare minimum about software development to have a conversation about it, we're lowering the bar
who says it's about lowering the bar. If someone can build a more concrete view of their ideas which in most cases are requirements, then the conversation can be about nuances and not trying to figure it out what this person wants. I would say, It makes the conversation of the software development process easier because now you can discuss exactly why or why not it cannot be possible or the challenges you'll have to implement it.
I do fear this framing though. It's going to be annoying with someone in a meeting using GPT on the side saying "No, it's totally possible to scale this way. Make it happen" because they're feeding what you say to a GPT to counter you with nonsense.
I'm using LLM a fair bit so i'm not doom and gloom entirely on it, but i do think our adjustment period is going to be rough. Especially if we can't find a way to make the LLMs actually reliable.
If you can prompt AI that well, couldn't you just explain it to another human?
Or is it the faster prototyping iterations that help them refine their ideas?
As in, I'm not sure what I want so I'll use AI to build a few prototypes and clarify my ideas?
I’m a visual person so having something I can see and experience typically helps me understand someone’s idea better than if they’re describing something and I’m trying to imagine it. It also helps to have a concrete artifact because we can methodically catalogue its characteristics and define which ones are exactly what the person means, kind of what they mean but they still need help refining it, or completely up for grabs. This is why I find prototypes, wireframes, and sketches to be useful tools for defining the solution space.
It's great that more non developers can create their own software now and I made it clear that I'm in full agreement with this.
What I'd argue is that people who build software professionally and got really good at it (or want to) focus on completely different types of projects where vide coding is irrelevant.
Everyone who can afford it once AI companies actually start selling at a price that can generate profits.
If people have to pay eg $100 for every of those prototypes I doubt they’ll be very popular. Sure it’s still cheaper than paying a dev but it will be expensive to iterate and experiment.
Open models are ~6mo behind current closed SotA, and are hosted by many parties that have no incentive to subsidise the cost, so they're making some profit already. The biggest thing in our favor is that there isn't just oAI. There are 3 main closed providers, and plenty of open models released every cycle. Even if they're gonna raise the prices, there's enough competition so that eventually it levels off at a point. I think that point will still be "affordable". Certainly cheaper than a full time dev, even outsourced.
Depends how critical computers are to one's life, I think. I wouldn't call myself a cook, but I need to eat, so I can make a mean bowl of pasta when it comes down to it. Given another five-ten years of development, I expect tooling to develop that lets everyone automate computers to a degree previously reserved for professional programmers, akin to what the microwave oven did for cooking. The ability to microwave a hot pocket doesn't remotely make me a cook, but I won't starve, either.
Reading that I thought everyone could be a series of APIs. We are all experts at something. Something like: when was building X at the end of Y street demolished?
You can get used RTX 3090 for $750-800 each. Pro tip; look for 2.5 slot sized models line EVGA XC3 or the older blower models. Then you can get two for $1600, fit them in a full size case, 128GB DDR5 for $300, some Ryzen CPU like the 9900X and a mobo and case and PSU to fill up the rest of the budget. If you want to skimp you can drop one of the GPUs until you're sure you need 48GB VRAM and some of the RAM but you really don't save that much. Just make sure you get a case that can fit multiple full size GPU and a mobo that can support it as well. The slot configurations are pretty bad on the AM5 generation for multi GPU. You'll probably end up with a mobo such as Asus ProArt
Also none of this is worth the money because it's simply not possible to run the same kinds of models you pay for online on a standard home system. Things like ChatGPT 4o use more VRAM than you'll ever be able to scrounge up unless your budget is closer to $10,000-25,000+. Think multiple RTX A6000 cards or similar. So ultimately you're better off just paying for the online hosted services
I think this proves one of the suckpoints of AI : there are clearly certain things that the smaller models should be fine at... but there doesn't seem to be frameworks or something that constantly analyze and simulate and evaluate what you could be doing with smaller and cheaper models
Of course the economics are completely at odds with any real engineering: nobody wants you to use smaller local models, nobody wants you to consider cost/efficiency saving
> but there doesn't seem to be frameworks or something that constantly analyze and simulate and evaluate what you could be doing with smaller and cheaper models
This is more of a social problem. Read through r/LocalLlama every so often and you'll see how people are optimizing their usage.
I've wondered about this also. I have an MBA and like that it's lightweight and relatively cheap. I could buy a MBP and max out the RAM, but I think getting a Mac mini with lots of RAM could actually make more sense. Has anyone set up something like this to make it available to their laptop/iPhone/etc.?
Seems like there would be cost advantages and always-online advantages. And the risk of a desktop computer getting damaged/stolen is much lower than for laptops.
You can build a pretty good PC with a used 3090 for that budget. It will outperform anything else in terms of speed. Otherwise, you can get something like an m4 pro mac with 48gb ram.
Unless autonomous drones happen, Russia has proved fiber drones are the way to go.
Not saying jammers wouldn’t be needed, but Russia had a lot of success using fiber drones to retake Kursk.
Autonomous drones are an inevitability. Enormous force multiplication is available with autonomy. We're talking about a few people, or perhaps one person, defeating battalions.
The truth is autonomous weapons have been in use for a long time now. Mark 60 CAPTOR anti-submarine mines (circa 1979) autonomously identified enemies and launched a torpedo to destroy submarines.
Probably trained for a specific location and targets but if you see how fast people adapt in the war of drones, I feel drones would need constant updates which might not be possible in certain frontlines.
A tank at the beginning of the Ukraine invasion doesn’t look not even close to what they look now with all the anti drone add ons.
It had a lot to do with it. Kursk was a heavily forested area where the Ukrainians largely had small troop deployments hiding under tree cover where fiber optic drones would hunt them down.
There are thousands of videos of this in Kursk alone.
Ukraine are able to set up "shielded corridors" to protect critical supply roads from fiber optic drone attack behind the front lines in the donbass but in kursk they were exposed and defenseless.
Fiber optic is just an adaptation. The war has been full of them. The logical end step seems to be autonomy. There is nothing special about fiber optic, it’s just a way to avoid EW.
The problem is not the amount of land but if that land is economically viable. Farm already has low margins.so, if you grab a good location to build a data center and push the farm land even further away from population centers, then you are pretty much killing family farms.
There are virtually no family farms left in the US. Especially central Indiana corn farmers. 1200 acres wouldn’t be a financially viable corn farm if it were family farmed.
I think this is really close. My hunch is that agricultural land is just simply cheaper to acquire and convert, as compared to industrial land which may or may not have all kinds of remediation or razing that needs to happen to it first.
I worked with teams located in Israel, Ukraine, Poland, UK and Easter, Central and West US while based on Mountain Time.
Long story short, really weird times. Even though most of the communications were async, I still started really early and then called it at midday because I didn´t have more battery on me. I followed up on things by mobile chat in the afternoon but I was already checked out mentally by 2pm. Sometimes when I felt rested enough I gave it a little more in the nights and coordinated with early birds from Europe before I hit the bed.
This went on for over 2 years easily. I gotta say I completely burned out and it took me a long time to recover.
For the ones asking why?. The business outsourced some services overseas which became part of the critical path.
Currently living in central time and working for a company on eastern time. It’s pretty sweet. I’m up at 630 cst which is 730 est but no one really wants a meeting before 9am est (8am cst). I get a few texts between 7 and 8 cst but no big deal. Back there they are winding down around 3pm est which means I often have from 2pm cst on all to myself and it’s still sunny and beautiful out for a long time. My biggest challenge is staying up past 8pm cst which is a solid 6 hours after work has finished but the sun is still out. I’m losing the evening fishing time.
60 years actually but for the recent criminality you need to look to Venezuela’s attempt of revolution in the late 10’s which generated the expansion of the Tren de Aragua which evolved extortion from random events to an enterprise level kind of thing.
They already extortion every single producer. Any coffee and avocado coming from South America has an extortion tax somewhere in the supply chain whether it’s to the farmers, shipping companies, distribution center warehouses at port or whatever you imagine.
The extortion comes as placing gang members as part of security, real threats or just bribes to unlock to keep moving towards the consumer.
Illegal goods have better margins but extortions provide a platform for power and money with less effort.
