Yes, I was using nsupdate to test my implementation. For security reasons the directory that holds the zone file is readonly for named. So named couldn't create its journal file there. I misinterpreted the reference manual for the description of the "journal" command. Where it mentioned that the "filename" could be overridden I wasn't thinking it could be a pathname.
Just to clarify, I will be using the certbot client with the dns-rfc2136 plugin to receive my certificates. I wonder why they don't have a dns-local plugin. It would be a whole lot simpler. On Mon., Apr. 26, 2021, 09:57 Kevin Darcy via bind-users, < bind-users@lists.isc.org> wrote: > [ Classification Level: GENERAL BUSINESS ] > > Ivan, > I've never done the Let's Encrypt thing myself, but from my > skim of the documentation, it appears they want you to place a TXT record > in a specific part of your domain's namespace hierarchy. > > I sincerely hope you're not trying to write the TXT record directly to the > journal file. That could lead to corruption, or, at the very least, your > changes could be overwritten, since journal files are written dynamically. > > The safe way to update DNS programmatically is through the Dynamic Update > extension to DNS, typically via the "nsupdate" command-line utility, or via > various libraries/modules of scripting languages like Perl or Python. > > One of the bash-based ACME client implementations linked from Let's > Encrypt's webpage, for instance, is github.com/bruncsak/ght-acme.sh, and > for the DNS-01 challenge method, it feeds some commands to nsupdate. The > code is rather crude, assuming no crypto-based authentication on the server > side, among other things, but it's at least a start on a recommended way to > update DNS data. Better than mucking around with journal files. > > There is a learning curve associated with Dynamic Update. On the server > side, for instance, you'll need to establish permissions via allow-update. > Limiting updates to localhost at least would protect your DNS data from > unauthorized changes from remote hosts, but ideally, you'd generate a key > and use that. > > > - Kevin > > On Sun, Apr 25, 2021 at 7:39 PM Ivan Avery Frey <ivan.avery.f...@gmail.com> > wrote: > >> I'm trying to obtain certificates from Let's Encrypt using the DNS-01 >> challenge method. >> >> I just want to confirm that there is no option to configure the >> directory for the .jnl files independently of the zone files. >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users