TXT with dot in NAME for ACME via dynamic update

Chuck Aurora ca at nodns4.us
Sat Mar 14 17:14:39 UTC 2020

On 2020-03-14 12:03, Axel Rau wrote:
> it seems, the dynamic update protocol does not allow things like
> 	_acme-challenge.some-host.some.domain 
> TXT	"tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"
> because there is no zone
> 	some-host.some.domain

I am pretty sure that is not correct, but we can't help unless you
show your work.  If you need to specify the zone to update, you can
and should.  BIND's nsupdate(8) and other dynamic DNS clients allow
you to do this.

> However named accepts such constructs, if loaded from text zone file.

Mind your trailing dot, however. :)

> The problem is:
> - bind requires for dynamic update with
> 	dnssec-update-mode maintain
> 	auto-dnssec maintain
>   both require dynamic DNS
> - letsencrypt requires challenges like the above.
> This makes it impossible to create automatic ACME clients with
> dns-01 challenge.

Again, pretty sure you're wrong about this.

> Does anybody have a workaround?

Show your work if you want help.  Are you using nsupdate or some other
client?  Show what you gave your client.  Review the nsupdate(8) manual
for details on the input commands and format.

More information about the bind-users mailing list