<div dir="auto"><div>Yes, I was using nsupdate to test my implementation. For security reasons the directory that holds the zone file is readonly for named. So named couldn't create its journal file there. I misinterpreted the reference manual for the description of the "journal" command. Where it mentioned that the "filename" could be overridden I wasn't thinking it could be a pathname.</div><div dir="auto"><br></div><div dir="auto">Just to clarify, I will be using the certbot client with the dns-rfc2136 plugin to receive my certificates.</div><div dir="auto"><br></div><div dir="auto">I wonder why they don't have a dns-local plugin. It would be a whole lot simpler.<br><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Mon., Apr. 26, 2021, 09:57 Kevin Darcy via bind-users, <<a href="mailto:bind-users@lists.isc.org" target="_blank" rel="noreferrer">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>[ Classification Level: <font color="blue">GENERAL BUSINESS</font> ]</div><br>Ivan,<div> I've never done the Let's Encrypt thing myself, but from my skim of the documentation, it appears they want you to place a TXT record in a specific part of your domain's namespace hierarchy.</div><div><br></div><div>I sincerely hope you're not trying to write the TXT record directly to the journal file. That could lead to corruption, or, at the very least, your changes could be overwritten, since journal files are written dynamically.</div><div><br></div><div>The safe way to update DNS programmatically is through the Dynamic Update extension to DNS, typically via the "nsupdate" command-line utility, or via various libraries/modules of scripting languages like Perl or Python.</div><div><br></div><div>One of the bash-based ACME client implementations linked from Let's Encrypt's webpage, for instance, is <a href="http://github.com/bruncsak/ght-acme.sh" rel="noreferrer noreferrer" target="_blank">github.com/bruncsak/ght-acme.sh</a>, and for the DNS-01 challenge method, it feeds some commands to nsupdate. The code is rather crude, assuming no crypto-based authentication on the server side, among other things, but it's at least a start on a recommended way to update DNS data. Better than mucking around with journal files.</div><div><br></div><div>There is a learning curve associated with Dynamic Update. On the server side, for instance, you'll need to establish permissions via allow-update. Limiting updates to localhost at least would protect your DNS data from unauthorized changes from remote hosts, but ideally, you'd generate a key and use that.</div><div><br></div><div> - Kevin<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey <<a href="mailto:ivan.avery.frey@gmail.com" rel="noreferrer noreferrer" target="_blank">ivan.avery.frey@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm trying to obtain certificates from Let's Encrypt using the DNS-01<br>
challenge method.<br>
<br>
I just want to confirm that there is no option to configure the<br>
directory for the .jnl files independently of the zone files.<br>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer noreferrer noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" rel="noreferrer noreferrer" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div></div></div>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer noreferrer noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" rel="noreferrer noreferrer" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div></div></div>