It should also be noted that as shown in the example - the internal zone can and should be any working zone setup, it is not limited to be a slave and can be any setup following the docs at https://certbot-dns-rfc2136.readthedocs.io/en/latest/
zone example.com {
type “any working setup”;
file “var/named/dynamic/example.db”;
};
var/named/dynamic/example.db is the example for a Centos 7 dynamic DNS setup out of the box and usually that can be - and usually is - the managed keys directory also - on Centos 7 and the key can and probably should be put there also. It may be slightly different on other Linux Distributions
The RFC2136 DNS authenticator may report “the peer does not know the key we used”, or it may report it “cannot find the base domain” in the log both of which will result in a failure of cert update or delivery
In a working example, NSUPDATE will appear to work - just simply will not actually do the update . . . and it may report a “TSIG error”
Finally it should be noted the example from the serverfault site was initially a bug that was fixed and no longer exists in BIND 9.11
Finally, when BIND is setup as a SOA DNS using forwarder servers like Google’s public DNS servers you may still need to use a propagation delay and restart the local DNS (named) on Centos 7 so the changes are flushed into the zone file and propagated out tot he forwarder DNS so the text files are seen when the RFC2136 authenticator comes back to look at the end of the propagation delay period
This can be seen via a DIG command for the TXT files during the propagation period wait. Centos 7’s version of BIND comes set up as a Dynamic DNS, but a timing delay may still cause the RFC2136 DNS authenticator to fail if not manually flushed to the zone file during a prorogation delay period and BIND (named) restarted before thee period is up…
A “rndc sync” command will flush the changes to the zone file, and the restart of named will propagate it to the forwarder DNS for view via DIG and the RFC2136 authenticator to discover and see
If you are using any other DNS provider with an API - or are using Google’s Cloud Service this above may not be necessary
A script can be written to automate this and set up to run via cron using tmux. See also https://unix.stackexchange.com/questions/387666/run-commands-in-tmux-from-terminal