Path: csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Brett Delmage <Brett@BrettDelmage.ca>
Newsgroups: comp.protocols.dns.bind
Subject: BIND, nsupdate and acme.sh DNS authentication
Date: Thu, 23 Jul 2020 15:13:06 -0400 (EDT)
Lines: 27
Approved: bind-users@lists.isc.org
Message-ID: <mailman.765.1595531559.942.bind-users@lists.isc.org>
References: <alpine.DEB.2.21.2007231459440.9937@pannier.local>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
X-Trace: usenet.stanford.edu 1595531598 6096 149.20.1.60 (23 Jul 2020 19:13:18 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bind-users <bind-users@lists.isc.org>
Return-Path: <Brett@BrettDelmage.ca>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=BrettDelmage.ca; s=20200706a; t=1595531586; bh=AqKcey+mGPhFInVj52ZuCpz1WLEHbMIzmnIcdSEqSUw=; h=Date:From:To:Subject:From; b=pCGzEeiX8jeD95/r81G5nhaHDHzR25f3WRuF5+el1jeN2bPePUGwsn/2Rm95Pu/zj 7eax0a9Sei1jykzv+IhYkYoLjsp6Y7ua0jCaXxmDrS+BFLx+Y25vI2eQNcOFYOqPFy YdqXo07AITHHnrL9pcpA43SNAA4imuoc/X3leARfJkDcE0079p+4rufre8b+J4QQlV TLG5ghp7A0e9xUI8MKjwjivaLiDDxAJX1XuFYhF2K9HxpETfVXyv2K9a3E9Cx6Gq8M K6ST/h7/QKk3wuGOOA7DZo/djmSqT7qU1i78GBr1KlVZ+LCCYySMrAcIpe9EXPmwS+ dnTz8yrGaxLqg==
X-Spam-Status: No, score=1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RDNS_NONE,SPF_PASS,T_SPF_HELO_PERMERROR autolearn=disabled version=3.4.2
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <alpine.DEB.2.21.2007231459440.9937@pannier.local>
Xref: csiph.com comp.protocols.dns.bind:16023

On Thu, 23 Jul 2020, Michael De Roover wrote:

> For example I don't trust Manjaro's maintainers, since they screwed up
> their TLS certificate renewal no less than 3 times. That's complete and
> utter incompetence on their part.

> How they didn't already put certbot in a cron job after the first time 
> is beyond me.

To get this topic back on topic for this list:

When you are creating Let's Encrypt wildcard certificates you must use a 
DNS authenticiation protocol with letsencrypt. I am using the acme.sh 
client which was recommended for wildcard 
certificates. https://github.com/acmesh-official/acme.sh

If you are running your own nameserver you also need to enable dynamic 
updates so that the acme.sh client can create TXT records during 
certificate acqusition and renewal.

However I have found that getting zone dynamic updates (authentication, 
specifically) working with nsupdate (which acme.sh uses) and BIND have 
been a PITA. I haven't been overly impressed with the debug capabilities 
to help get nsupdate working properly.