Configuring the location of named .jnl files
Kevin Darcy
kevin.darcy at stellantis.com
Mon Apr 26 13:56:29 UTC 2021
[ Classification Level: GENERAL BUSINESS ]
Ivan,
I've never done the Let's Encrypt thing myself, but from my skim
of the documentation, it appears they want you to place a TXT record in a
specific part of your domain's namespace hierarchy.
I sincerely hope you're not trying to write the TXT record directly to the
journal file. That could lead to corruption, or, at the very least, your
changes could be overwritten, since journal files are written dynamically.
The safe way to update DNS programmatically is through the Dynamic Update
extension to DNS, typically via the "nsupdate" command-line utility, or via
various libraries/modules of scripting languages like Perl or Python.
One of the bash-based ACME client implementations linked from Let's
Encrypt's webpage, for instance, is github.com/bruncsak/ght-acme.sh, and
for the DNS-01 challenge method, it feeds some commands to nsupdate. The
code is rather crude, assuming no crypto-based authentication on the server
side, among other things, but it's at least a start on a recommended way to
update DNS data. Better than mucking around with journal files.
There is a learning curve associated with Dynamic Update. On the server
side, for instance, you'll need to establish permissions via allow-update.
Limiting updates to localhost at least would protect your DNS data from
unauthorized changes from remote hosts, but ideally, you'd generate a key
and use that.
- Kevin
On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey <ivan.avery.frey at gmail.com>
wrote:
> I'm trying to obtain certificates from Let's Encrypt using the DNS-01
> challenge method.
>
> I just want to confirm that there is no option to configure the
> directory for the .jnl files independently of the zone files.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210426/a196f485/attachment.htm>
More information about the bind-users
mailing list