Bind is not widely used, apparently?
1 Like
At risk of attracting lightning, you might look at
https://si.okiefrog.org/
for ideas. If you control your complete DNS setup (ie no external DNS servers) then the
article can be made much simpler.
2 Likes
It's an older article, but it specifically covers managing DNS-01 ACME challenges on ISC BIND.
5 Likes
Anyone capable of properly using Bind, is likely not going to need much help here - LOL
11 Likes
Based on their comments and tone, the OP is clearly the smartest person in this thread and possibly the world.
The following information is for others:
This is an extremely old version of Certbot from January 2019, which does not support a lot of features and integrations. It is highly recommended to use the most recent version of Certbot, either installed via Snapd on the target machine, or installed locally through whatever means they prefer.
Wildcard certs require the DNS-01 challenge. To handle updates automatically with BIND, one can use the dns_rfc2136 plugin (Welcome to certbot-dns-rfc2136βs documentation! β certbot-dns-rfc2136 0 documentation) which ships as part of Certbot's core distribution (see User Guide β Certbot 2.6.0 documentation).
Most people prefer to use the acme-dns approach, which @griffin noted, because it is streamlined, avoids caching issues that platforms often have, and is the most secure DNS option. See A Technical Deep Dive: Securing the Automation of ACME DNS Challenge Validation | Electronic Frontier Foundation
In a typical acme-dns setup:
- a secondary, dedicated DNS namespace is created for LetsEncrypt authentication
- the primary DNS delegates specific DNS verification records to acme-dns
- pre/post hooks are used to start/stop the acme-dns server and firewall rules, so it's only available when needed
This can be done with BIND, but acme-dns offers an API to handle all the communication and setup. It's easier and has better debugging.
12 Likes
Talk about copping an attitude, "Community Leader", mean tweets, LOL...
Thanks all for your help, clearly not as "simple" as one would expect yet possible if you want something for nothing.
This might be of interest...
The nsupdate.sh hook script included in the distribution allows managing dns-01 challenges with nsupdate. This only works if your name server supports RFC2136 (bind does, nsd doesn't).
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.