<div dir="ltr"><div>[ Classification Level: <font color="blue">GENERAL BUSINESS</font> ]</div><br class="cursAfter">Ivan,<div> I've never done the Let's Encrypt thing myself, but from my skim of the documentation, it appears they want you to place a TXT record in a specific part of your domain's namespace hierarchy.</div><div><br></div><div>I sincerely hope you're not trying to write the TXT record directly to the journal file. That could lead to corruption, or, at the very least, your changes could be overwritten, since journal files are written dynamically.</div><div><br></div><div>The safe way to update DNS programmatically is through the Dynamic Update extension to DNS, typically via the "nsupdate" command-line utility, or via various libraries/modules of scripting languages like Perl or Python.</div><div><br></div><div>One of the bash-based ACME client implementations linked from Let's Encrypt's webpage, for instance, is <a href="http://github.com/bruncsak/ght-acme.sh">github.com/bruncsak/ght-acme.sh</a>, and for the DNS-01 challenge method, it feeds some commands to nsupdate. The code is rather crude, assuming no crypto-based authentication on the server side, among other things, but it's at least a start on a recommended way to update DNS data. Better than mucking around with journal files.</div><div><br></div><div>There is a learning curve associated with Dynamic Update. On the server side, for instance, you'll need to establish permissions via allow-update. Limiting updates to localhost at least would protect your DNS data from unauthorized changes from remote hosts, but ideally, you'd generate a key and use that.</div><div><br></div><div> - Kevin<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey <<a href="mailto:ivan.avery.frey@gmail.com">ivan.avery.frey@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm trying to obtain certificates from Let's Encrypt using the DNS-01<br>
challenge method.<br>
<br>
I just want to confirm that there is no option to configure the<br>
directory for the .jnl files independently of the zone files.<br>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div></div></div>