Several months ago I configured my certbot and my dns (bind), by delegating subdomains for verification purposes to separate zone files; roughly as described in this article.
At the time, this setup worked perfectly.
Recently though, it broke. Apparently because new certbots get confused about SOA records and try to update the parent zones instead of the relevant subdomain.
I temporarily "fixed" renewals by eliminating the sub-domains structure, but I'd like to return to something with separate zone-files, because I like editing my zones manually, to add comments, etc. and unfortunately, automatic updates nuke them all and create *very* ugly zone files.
Does anyone have a solution for this? [1]
My domain is:
(this is not significant, the problem is bind & certbot related)
I ran this command:
certbot renew
(But then again, everything works with a bog-standard config)
It produced this output:
With the subdomain structure in place, certbot will try to update the top domain. if you didn't authorize it in the top domain, this will result in a DENIAL from BIND. Otherwise certbot will fail at the verification stage.[2]
My web server is
Not applicable. This problem is specific to DNS verification only.
The operating is:
Fedora 42 with certbot-3.3.0-1.fc42
My hosting provider is:
Not applicable
I can login to a root shell on my machine:
Yes
I'm using a control panel to manage my site:
No
The version of my client is:
certbot 3.3.0
Note: The obvious thing that comes to mind, is to delegate to a separate nameserver, so that "_acme-challenge" subdomains'll live in a separate environment and certbot can't get confused, but anything simpler would be a boon!
↩︎This latest failure happens because bind will ignore any definition in the top, less specific, zone and respond to queries based only on the more specific subdomain zone, as delegated, which at this point rests untouched by certbot's attempts. ↩︎