DNS API BIND 9 integration is there a proper way doing this

I have recently switched to using the DNS api.
My setup is not that common:
OpenBSD running chrooted Bind9

The dns server is on the same machine I run the acme.sh from. I wonder if someone made an api or script for taking care of updating the zone file at renew, if so please share.

If not is there a way for acme.sh to only output the domain key at the renewal request nothing else:

[Sun Jan 9 10:11:12 CET 2021] TXT value: '12345....'

I guess writing a script will not be hard which updates the zone file with the new key, increments the serial, reloads bind, wait a bit, does the renewal then reload the webserver but I wonder if there is a polished way to do this already.

Thanks

What's wrong with the acme.sh dns_nsupdate.sh script?

See also: https://github.com/acmesh-official/acme.sh/wiki/dnsapi

Yes, it's normally called something like: DNS API update integration.
Bind9 supports such updates via RFC 2136.

And acme.sh supports Bind9 too - they should work well together :slight_smile:

And nsupdate is a RFC 2136 client. See my reply above.

1 Like

A bit unnecessarily too complex. Generating DNS keys seriously when it's on localhost, you can just specify the 127.0.0.1 for update ip and use:

#!/usr/local/bin/bash

T="/tmp/nsupdate"
DOM="yourdomain.com"

if [ "$#" -ne 1 ] || [ -z $1 ]; then
    echo "Usage: $0 <TXT AUTHKEY FOR LETSENCRYPT>"
    exit 1
fi

cat > $T <<-EOF
server 127.0.0.1
zone $DOM
update delete _acme-challenge.$DOM. TXT
update add _acme-challenge.$DOM. 600 TXT "$1"
show
send
EOF

nsupdate $T
rm -rf $T

Thanks for the idea anyway :wink:

1 Like