Comment 3 for bug 1971856

A solution could be adding a new option in "pools.yaml" for powerdns to specify he location of the ca cert needed to verify the connection to the API endpoint, something like:

options:
        host: <IP>
        port: <PORT>
        api_endpoint: https://<FQDN>
        api_token: <API Key>
        api_ca_cert: <ca-cert-location>

Then, on designate/designate/backend/impl_pdns4.py:

    def __init__(self, target):
        super(PDNS4Backend, self).__init__(target)

        self.api_endpoint = self.options.get('api_endpoint')
        self.api_token = self.options.get('api_token')
        self.tsigkey_name = self.options.get('tsigkey_name', None)

+ self.api_ca_cert = self.options.get('api_ca_cert')

        self.headers = {
            "X-API-Key": self.api_token
        }

(···)

        try:
            requests.post(
                self._build_url(),
                json=data,
                headers=self.headers,
                verify=self.api_ca_cert
            ).raise_for_status()

Maybe differentiating the cases when the certificate is defined and when it isnt