fanf: (Default)
[personal profile] fanf

Last week, the EFF wrote about how to safely allow web servers to update ACME DNS challenges. Whereas non-wildcard Let's Encrypt certificates can be authorized by the web server itself, wildcard certs require the ACME client to put the challenge token in the DNS.

The EFF article outlined a few generic DNS workarounds (which I won't describe here), and concluded by suggesting delegating the _acme-challenge subdomain to a special ACME-DNS server.

But, if your domain is hosted with BIND, it's much easier.

First, you need to generate a TSIG key (a shared secret) which will be used by your ACME client to update the DNS. The tsig-keygen command takes the name of the key as its argument; give the key the same name as the domain it will be able to update. I write TSIG keys to files named tsig.<keyname> so I know what they are.

    $ tsig-keygen \

This file needs to be copied to the ACME client - I won't go into the details of how to get that part working.

The key needs to be included in the primary BIND server config:

    include "";

You also need to modify your zone's dynamic update configuration. My zones typically have:

    update-policy local;

The new configuration needs both the expanded form of local plus the _acme-challenge permissions, like this:

    update-policy {
        grant local-ddns zonesub any;
        grant self TXT;

You can test that the key has restricted permissions using nsupdate. The following transcript shows that this ACME TSIG key can only add and delete TXT records at the _acme-challenge subdomain - it isn't able to update TXT records at other names, and isn't able to update non-TXT records at the _acme-challenge subdomain.

    nsupdate -k
    > add 3600 txt thing
    > send
    update failed: REFUSED
    > add 3600 a
    > send
    update failed: REFUSED
    > add 3600 txt thing
    > send
    > del 3600 txt thing
    > send

That's it!

Date: 2018-03-10 15:05 (UTC)
ewx: (Default)
From: [personal profile] ewx
Where does BIND store the modifications? (Does it just edit your zone file or does it have some kind of sidecar that it knows it's safe to modify?) I've been trying to extract this from the documentation but getting nowhere.

Date: 2019-01-03 21:32 (UTC)
ewx: (Default)
From: [personal profile] ewx
Thankyou for the help, I've now successfully letsencrypted my first internal domain. I hope to abolish my private CA by the end of the year l-)

Date: 2018-03-28 05:27 (UTC)
From: (Anonymous)
I'm trying to get something working with hosts in a kerberos realm with an external update-policy helper.

I've got this so far.

April 2019

123 4567

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated 2019-04-20 02:35
Powered by Dreamwidth Studios