Configuring the location of named .jnl files
Ivan Avery Frey
ivan.avery.frey at gmail.com
Mon Apr 26 17:26:50 UTC 2021
Yes, I was using nsupdate to test my implementation. For security reasons
the directory that holds the zone file is readonly for named. So named
couldn't create its journal file there. I misinterpreted the reference
manual for the description of the "journal" command. Where it mentioned
that the "filename" could be overridden I wasn't thinking it could be a
pathname.
Just to clarify, I will be using the certbot client with the dns-rfc2136
plugin to receive my certificates.
I wonder why they don't have a dns-local plugin. It would be a whole lot
simpler.
On Mon., Apr. 26, 2021, 09:57 Kevin Darcy via bind-users, <
bind-users at lists.isc.org> wrote:
> [ Classification Level: GENERAL BUSINESS ]
>
> Ivan,
> I've never done the Let's Encrypt thing myself, but from my
> skim of the documentation, it appears they want you to place a TXT record
> in a specific part of your domain's namespace hierarchy.
>
> I sincerely hope you're not trying to write the TXT record directly to the
> journal file. That could lead to corruption, or, at the very least, your
> changes could be overwritten, since journal files are written dynamically.
>
> The safe way to update DNS programmatically is through the Dynamic Update
> extension to DNS, typically via the "nsupdate" command-line utility, or via
> various libraries/modules of scripting languages like Perl or Python.
>
> One of the bash-based ACME client implementations linked from Let's
> Encrypt's webpage, for instance, is github.com/bruncsak/ght-acme.sh, and
> for the DNS-01 challenge method, it feeds some commands to nsupdate. The
> code is rather crude, assuming no crypto-based authentication on the server
> side, among other things, but it's at least a start on a recommended way to
> update DNS data. Better than mucking around with journal files.
>
> There is a learning curve associated with Dynamic Update. On the server
> side, for instance, you'll need to establish permissions via allow-update.
> Limiting updates to localhost at least would protect your DNS data from
> unauthorized changes from remote hosts, but ideally, you'd generate a key
> and use that.
>
>
> - Kevin
>
> On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey <ivan.avery.frey at gmail.com>
> wrote:
>
>> I'm trying to obtain certificates from Let's Encrypt using the DNS-01
>> challenge method.
>>
>> I just want to confirm that there is no option to configure the
>> directory for the .jnl files independently of the zone files.
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210426/24d1a0a3/attachment-0001.htm>
More information about the bind-users
mailing list