BIND, nsupdate and DNS authentication

Brett Delmage Brett at
Thu Jul 23 19:13:06 UTC 2020

On Thu, 23 Jul 2020, Michael De Roover wrote:

> For example I don't trust Manjaro's maintainers, since they screwed up
> their TLS certificate renewal no less than 3 times. That's complete and
> utter incompetence on their part.

> How they didn't already put certbot in a cron job after the first time 
> is beyond me.

To get this topic back on topic for this list:

When you are creating Let's Encrypt wildcard certificates you must use a 
DNS authenticiation protocol with letsencrypt. I am using the 
client which was recommended for wildcard 

If you are running your own nameserver you also need to enable dynamic 
updates so that the client can create TXT records during 
certificate acqusition and renewal.

However I have found that getting zone dynamic updates (authentication, 
specifically) working with nsupdate (which uses) and BIND have 
been a PITA. I haven't been overly impressed with the debug capabilities 
to help get nsupdate working properly.

More information about the bind-users mailing list