Bind forgets my changes with nsupdate
Michael Richardson
mcr at sandelman.ca
Sun Oct 8 15:54:21 UTC 2023
201907-bind at planhack.com wrote:
>> My solution is not to mix dynamic update with other access. Instead,
>> I put in CNAMEs in the signed zone to a sub-zone (or other zone) where
>> I do exclusive dynamic update. This isn't perfect, but it works well
>> enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my
>> certificates.
> Not perfect? What issues did you see? Thanks!
a) there are still a number of situations where systems do not follow CNAMEs when
they should. Particularly relating to RFC2317 reverse delegations.
b) using a second zones introduces additional possibilities for DNSSEC to be
broken.
c) cruft accumulates in the second zone, and some of it does not get deleted.
d) updates to secondaries sometimes take longer than certbot is able to cope with.
("up-arrow-return" solves the problem if interactive. Cron running a week
later usually works)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231008/e8c40109/attachment.sig>
More information about the bind-users
mailing list