Update two name servers with RFC2136 plugin?

Martin_0 · May 31, 2019, 2:43pm

I have two name servers. So far, certbot works fine with --dns-rfc2136 and updating the primary name server. However, just in case the first one is down, I would like to use the second name server, too. But I did not find a way to update the text records at two name servers at once. Is there any way to do this?

Phil · May 31, 2019, 3:12pm

Hi @Martin_0,

Welcome to the forum. I don’t believe the dns-rfc2136 plugin allows for updating multiple DNS servers, but you could request the feature at https://github.com/certbot/certbot.

cpu · May 31, 2019, 4:29pm

Hi @martin_0

Can you talk more about how your authoritative nameservers are configured? Do you run them yourself, if so with what software?

Typically you wouldn't maintain separate zone data amongst all of the nameservers and update them one by one like it sounds like you might be doing. Instead I'd expect one nameserver to be the primary and the others to be configured to automatically sync changes in the zone using the AXFR mechanisms built into DNS. In that setup Certbot only needs to update the primary nameserver with the RFC 2136 plugin and then wait until all of the secondary nameservers have synchronized with the primary by AXFR.

Edit: Or I might have misunderstood your question! Is the idea you would like to use RFC 2136 with one of the secondary nameservers in case a primary is down?

Martin_0 · June 4, 2019, 3:12pm

OK, I’ll request the feature, thanks!

Martin_0 · June 4, 2019, 3:19pm

I’m not sure whether I was able to even ask the question in a way, that it could be understood

I have two identically configured nameservers, that do not have any connection in between, i.e. there is no master and no slave — real democracy (Maybe it’s not the best configuration for a name server, however and I should just change it.)

certbot allows me to use one name server, but not both. If the first one is down for some reason, I need to reconfigure certbot manually to use the other one (name server IP, credentials).

jsha · June 6, 2019, 4:20am

I think this is the right answer. Many things in DNS assume that you update in one place (e.g. your primary nameserver) and it propagates to all over your authoritative nameservers (e.g. you secondary nameservers). If you change your setup, the plug-in should work for you.

jsha · June 6, 2019, 5:22pm

I forgot to add: setting up a primary / secondary relationship will avoid having mismatched records between your nameservers, which can cause very confusing and hard to diagnose problems.

system · July 6, 2019, 5:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Status of CNAME alias support in Certbot? Client dev	4	2977	October 3, 2019
Certbot plugin for AWS Route53 Client dev	3	5639	March 8, 2017
Renewing multiple domain certificate with certbot Help	12	5165	March 8, 2022
Multiple servers for same domain with multiple DNS servers - Best practice for issue/renew? Server	7	2826	May 1, 2018
Multiple Web Servers Server	2	929	May 31, 2018

Update two name servers with RFC2136 plugin?

Related topics