Dns_rfc2136_server IP

My domain is: rc.fas.harvard.edu

I have a general question about rfc2136 credentials as described here:

I am creating the credentials file on one of our hosts that will be trying to get a certificate. And our DNS server has both a private and public IP address (using NAT). Should the IP that I put into this credential file be the private IP that my host can use to access the DNS server? Or should it be the public IP that Let's Encrypt's services would use to access our DNS server? The host that I'm creating this credential file on cannot access the DNS server via the public IP address due to routing issues, but I wasn't sure if the host was going to need to directly contact the DNS server or if this is just credential information that it feeds to Let's Encrypt via certbot.


I ran this command:

It produced this output:

My web server is (include version): apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.32.0

Yes. Certbot needs to talk directly to the nameserver in order to create the record, so a private IP makes sense.

No. Let's Encrypt will use recursive DNS, from the public root servers, to determine which nameserver to query for your domain.

This also means that your RFC2136 changes must be visible publicly. If you're updating _acme-chalklenge.rc.fas.harvard.edu on a nameserver which is only visible to your internal private network, it won't work. The record needs to be published to public DNS.


Thank you for the quick reply! This makes sense.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.