Configuring the location of named .jnl files
Ivan Avery Frey
ivan.avery.frey at gmail.com
Mon Apr 26 17:26:50 UTC 2021
Yes, I was using nsupdate to test my implementation. For security reasons
the directory that holds the zone file is readonly for named. So named
couldn't create its journal file there. I misinterpreted the reference
manual for the description of the "journal" command. Where it mentioned
that the "filename" could be overridden I wasn't thinking it could be a
Just to clarify, I will be using the certbot client with the dns-rfc2136
plugin to receive my certificates.
I wonder why they don't have a dns-local plugin. It would be a whole lot
On Mon., Apr. 26, 2021, 09:57 Kevin Darcy via bind-users, <
bind-users at lists.isc.org> wrote:
> [ Classification Level: GENERAL BUSINESS ]
> I've never done the Let's Encrypt thing myself, but from my
> skim of the documentation, it appears they want you to place a TXT record
> in a specific part of your domain's namespace hierarchy.
> I sincerely hope you're not trying to write the TXT record directly to the
> journal file. That could lead to corruption, or, at the very least, your
> changes could be overwritten, since journal files are written dynamically.
> The safe way to update DNS programmatically is through the Dynamic Update
> extension to DNS, typically via the "nsupdate" command-line utility, or via
> various libraries/modules of scripting languages like Perl or Python.
> One of the bash-based ACME client implementations linked from Let's
> Encrypt's webpage, for instance, is github.com/bruncsak/ght-acme.sh, and
> for the DNS-01 challenge method, it feeds some commands to nsupdate. The
> code is rather crude, assuming no crypto-based authentication on the server
> side, among other things, but it's at least a start on a recommended way to
> update DNS data. Better than mucking around with journal files.
> There is a learning curve associated with Dynamic Update. On the server
> side, for instance, you'll need to establish permissions via allow-update.
> Limiting updates to localhost at least would protect your DNS data from
> unauthorized changes from remote hosts, but ideally, you'd generate a key
> and use that.
> - Kevin
> On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey <ivan.avery.frey at gmail.com>
>> I'm trying to obtain certificates from Let's Encrypt using the DNS-01
>> challenge method.
>> I just want to confirm that there is no option to configure the
>> directory for the .jnl files independently of the zone files.
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> bind-users mailing list
>> bind-users at lists.isc.org
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> bind-users mailing list
> bind-users at lists.isc.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users