BIND, nsupdate and DNS authentication

Michael De Roover isc at
Thu Jul 23 23:54:42 UTC 2020

On 7/23/20 9:13 PM, Brett Delmage wrote:
> To get this topic back on topic for this list:
> When you are creating Let's Encrypt wildcard certificates you must use 
> a DNS authenticiation protocol with letsencrypt. I am using the 
> client which was recommended for wildcard certificates. 
> If you are running your own nameserver you also need to enable dynamic 
> updates so that the client can create TXT records during 
> certificate acqusition and renewal.
> However I have found that getting zone dynamic updates 
> (authentication, specifically) working with nsupdate (which 
> uses) and BIND have been a PITA. I haven't been overly impressed with 
> the debug capabilities to help get nsupdate working properly.

Interesting, I wasn't aware of this. Looking at Manjaro's site again, I 
found that their main website indeed uses a wildcard certificate while 
the forum (which was affected by the certificate renewal issues if 
memory serves me right) uses its own dedicated cert. Granted these 
renewal issues were already a few years ago so perhaps they changed some 
things here and there by now.

I had heard of Let's Encrypt's wildcard certs but never looked further 
into it. Would certainly be useful though, as subdomains are an easy way 
to separate services. Unfortunately bacme (which I currently use) 
doesn't seem to support the DNS-based ACME challenges. I've cloned the repository and will look further into it.

Met vriendelijke groet / Best regards,
Michael De Roover

More information about the bind-users mailing list