1. Forum
  2. Newsgroups
  3. comp.protocols.dns.bind

  • BIND, nsupdate and acme.sh DNS authentication

    From Brett Delmage@Brett@BrettDelmage.ca to bind-users on Thu Jul 23 15:13:06 2020
    From Newsgroup: comp.protocols.dns.bind

    On Thu, 23 Jul 2020, Michael De Roover wrote:

    For example I don't trust Manjaro's maintainers, since they screwed up
    their TLS certificate renewal no less than 3 times. That's complete and
    utter incompetence on their part.

    How they didn't already put certbot in a cron job after the first time
    is beyond me.

    To get this topic back on topic for this list:

    When you are creating Let's Encrypt wildcard certificates you must use a
    DNS authenticiation protocol with letsencrypt. I am using the acme.sh
    client which was recommended for wildcard
    certificates. https://github.com/acmesh-official/acme.sh

    If you are running your own nameserver you also need to enable dynamic
    updates so that the acme.sh client can create TXT records during
    certificate acqusition and renewal.

    However I have found that getting zone dynamic updates (authentication, specifically) working with nsupdate (which acme.sh uses) and BIND have
    been a PITA. I haven't been overly impressed with the debug capabilities
    to help get nsupdate working properly.



    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Michael De Roover@isc@nixmagic.com to bind-users on Fri Jul 24 01:54:42 2020
    From Newsgroup: comp.protocols.dns.bind

    On 7/23/20 9:13 PM, Brett Delmage wrote:
    To get this topic back on topic for this list:

    When you are creating Let's Encrypt wildcard certificates you must use
    a DNS authenticiation protocol with letsencrypt. I am using the
    acme.sh client which was recommended for wildcard certificates. https://github.com/acmesh-official/acme.sh

    If you are running your own nameserver you also need to enable dynamic updates so that the acme.sh client can create TXT records during
    certificate acqusition and renewal.

    However I have found that getting zone dynamic updates
    (authentication, specifically) working with nsupdate (which acme.sh
    uses) and BIND have been a PITA. I haven't been overly impressed with
    the debug capabilities to help get nsupdate working properly.

    Interesting, I wasn't aware of this. Looking at Manjaro's site again, I
    found that their main website indeed uses a wildcard certificate while
    the forum (which was affected by the certificate renewal issues if
    memory serves me right) uses its own dedicated cert. Granted these
    renewal issues were already a few years ago so perhaps they changed some things here and there by now.

    I had heard of Let's Encrypt's wildcard certs but never looked further
    into it. Would certainly be useful though, as subdomains are an easy way
    to separate services. Unfortunately bacme (which I currently use)
    doesn't seem to support the DNS-based ACME challenges. I've cloned the
    acme.sh repository and will look further into it.

    --
    Met vriendelijke groet / Best regards,
    Michael De Roover
    --- Synchronet 3.18a-Linux NewsLink 1.113