Ilari Liusvaara <ilariliusva...@welho.com> wrote:
>> For now, this is for many ACME clients a manual step. If you run your
>> authoritative DNS service locally in your network, perhaps you could
>> look into any options for automatically update the zone content.
> I think the current best way is to have _acme-challenge be a CNAME
> pointing to zone served by single master with no slaves that accepts
> DNS UPDATE with TSIG HMAC-SHA256 authentication for ACME client to
> update the records.
That's precisely what I do.
I do it because bind9 does not do well when zones are managed by updates as
well as manual edits. So I CNAME to a single (sub)zone where it is all
updates.
> The single master is more than reliable enough for the purpose (as
> there should be donzens of retries spread over time for renewal before
> the certificate expires) and eliminates the propagation times.
I do have multiple masters, and I mean to program a query to all NS to see if
the update has propogated, but for now, I "sleep(30)", which is definitely
sub-optimal in the best cases, and a failure if there are problems.
So far, it works great.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
