Ilari Liusvaara <ilariliusva...@welho.com> wrote: >> For now, this is for many ACME clients a manual step. If you run your >> authoritative DNS service locally in your network, perhaps you could >> look into any options for automatically update the zone content.
> I think the current best way is to have _acme-challenge be a CNAME > pointing to zone served by single master with no slaves that accepts > DNS UPDATE with TSIG HMAC-SHA256 authentication for ACME client to > update the records. That's precisely what I do. I do it because bind9 does not do well when zones are managed by updates as well as manual edits. So I CNAME to a single (sub)zone where it is all updates. > The single master is more than reliable enough for the purpose (as > there should be donzens of retries spread over time for renewal before > the certificate expires) and eliminates the propagation times. I do have multiple masters, and I mean to program a query to all NS to see if the update has propogated, but for now, I "sleep(30)", which is definitely sub-optimal in the best cases, and a failure if there are problems. So far, it works great. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme