Allow only temporary zone updates without making them permanent
Carl Byington
carl at byington.org
Sun Jun 30 16:21:23 UTC 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Sun, 2019-06-30 at 12:38 +0300, Lefteris Tsintjelis via bind-users
wrote:
> Again, no it is not required but only if you do it manually. The idea
> here is to automate everything and, unless I am missing something,
> there is no other way to do this. There has to be a dynamic zone for
> the ACME records.
I wrote some python code to fully automate letsencrypt certificates
using
certbot certonly --manual -d %s -m %s --agree-tos
--no-eff-email --manual-public-ip-logging-ok
--preferred-challenges dns
in combination with human readable ascii text bind master files. It is
not really clean enough to release, and is tied fairly strongly to my
environment. But the automation problem is not difficult.
proc = subprocess.Popen(c, shell=True, bufsize=4096,
stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
followed by reading the output of certbot and doing the appropriate
operations on the master files with some "rndc reload %s" commands. In
my case, the domains are all secured with dnssec, so there are some
dnssec-signzone commands in there as well.
About 350 lines of python code, but that also includes code to generate
the ssl certificates by signing a traditional CSR with a private CA key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAl0Y4WIACgkQL6j7milTFsHaqwCeO+24sBUTLmKfj/8sv1YAjg3E
5FgAnRuHyKVHnPz7vgIqP6N/iaC/8UjK
=ClyC
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list