TXT with dot in NAME for ACME via dynamic update

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

TXT with dot in NAME for ACME via dynamic update

Axel Rau
Hi all,

it seems, the dynamic update protocol does not allow things like
        _acme-challenge.some-host.some.domain TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"
because there is no zone
        some-host.some.domain
However named accepts such constructs, if loaded from text zone file.

The problem is:
- bind requires for dynamic update with
        dnssec-update-mode maintain
        auto-dnssec maintain
  both require dynamic DNS

- letsencrypt requires challenges like the above.

This makes it impossible to create automatic ACME clients with dns-01 challenge.

Does anybody have a workaround?

Thanks, Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (919 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TXT with dot in NAME for ACME via dynamic update

Chuck Aurora
On 2020-03-14 12:03, Axel Rau wrote:
> it seems, the dynamic update protocol does not allow things like
> _acme-challenge.some-host.some.domain
> TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"
> because there is no zone
> some-host.some.domain

I am pretty sure that is not correct, but we can't help unless you
show your work.  If you need to specify the zone to update, you can
and should.  BIND's nsupdate(8) and other dynamic DNS clients allow
you to do this.

> However named accepts such constructs, if loaded from text zone file.

Mind your trailing dot, however. :)

> The problem is:
> - bind requires for dynamic update with
> dnssec-update-mode maintain
> auto-dnssec maintain
>   both require dynamic DNS
>
> - letsencrypt requires challenges like the above.
>
> This makes it impossible to create automatic ACME clients with
> dns-01 challenge.

Again, pretty sure you're wrong about this.

> Does anybody have a workaround?

Show your work if you want help.  Are you using nsupdate or some other
client?  Show what you gave your client.  Review the nsupdate(8) manual
for details on the input commands and format.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: TXT with dot in NAME for ACME via dynamic update

Axel Rau


Am 14.03.2020 um 18:14 schrieb Chuck Aurora <[hidden email]>:

it seems, the dynamic update protocol does not allow things like
_acme-challenge.some-host.some.domain TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"
because there is no zone
some-host.some.domain

I am pretty sure that is not correct, but we can't help unless you
show your work.  If you need to specify the zone to update, you can
and should.  BIND's nsupdate(8) and other dynamic DNS clients allow
you to do this.

With this file
- - -
server localhost
debug
ttl 3600
add _acme-challenge.imap.lrau.net.  3600 TXT  "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"
show
send
answer
- - -
I get:
- - -
# nsupdate -k /usr/local/etc/namedb/dns-keys/ddns-key.conf ~/admin/ns-update-example.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;lrau.net. IN SOA

;; UPDATE SECTION:
_acme-challenge.imap.lrau.net. 3600 IN TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"

Sending update to ::1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  41111
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;lrau.net. IN SOA

;; UPDATE SECTION:
_acme-challenge.imap.lrau.net. 3600 IN TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"

;; TSIG PSEUDOSECTION:
ddns-key. 0 ANY TSIG hmac-sha256. 1584206515 300 32 . . . 41111 NOERROR 0 


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  41111
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;lrau.net. IN SOA

;; TSIG PSEUDOSECTION:
ddns-key. 0 ANY TSIG hmac-sha256. 1584206515 300 32 . . . 41111 NOERROR 0 

Answer:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  41111
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;lrau.net. IN SOA

;; TSIG PSEUDOSECTION:
ddns-key. 0 ANY TSIG hmac-sha256. 1584206515 300 32 . . . 41111 NOERROR 0 

# dig _acme-challenge.imap.lrau.net.  @localhost

; <<>> DiG 9.16.0 <<>> _acme-challenge.imap.lrau.net. @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6153
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 404b9f34e94920a4ef3dd3065e6d14308acdeabfe0744b88 (good)
;; QUESTION SECTION:

;; AUTHORITY SECTION:
lrau.net. 3600 IN SOA ns4.lrau.net. hostmaster.lrau.net. 2020030850 86400 7200 604800 3600

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Mar 14 17:28:16 UTC 2020
;; MSG SIZE  rcvd: 145

(pki_dev_p37) [root@hermes /usr/local/py_venv/pki_dev_p37/src]# 

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (919 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TXT with dot in NAME for ACME via dynamic update

Crist Clark
It looks like it worked. Your test is asking for A records, not the TXT records for the name. Try,

$ dig _acme-challenge.imap.lrau.net. txt @localhost


On Sat, Mar 14, 2020 at 10:31 AM Axel Rau <[hidden email]> wrote:


Am 14.03.2020 um 18:14 schrieb Chuck Aurora <[hidden email]>:

it seems, the dynamic update protocol does not allow things like
_acme-challenge.some-host.some.domain TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"
because there is no zone
some-host.some.domain

I am pretty sure that is not correct, but we can't help unless you
show your work.  If you need to specify the zone to update, you can
and should.  BIND's nsupdate(8) and other dynamic DNS clients allow
you to do this.

With this file
- - -
server localhost
debug
ttl 3600
add _acme-challenge.imap.lrau.net.  3600 TXT  "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"
show
send
answer
- - -
I get:
- - -
# nsupdate -k /usr/local/etc/namedb/dns-keys/ddns-key.conf ~/admin/ns-update-example.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;lrau.net. IN SOA

;; UPDATE SECTION:
_acme-challenge.imap.lrau.net. 3600 IN TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"

Sending update to ::1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  41111
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;lrau.net. IN SOA

;; UPDATE SECTION:
_acme-challenge.imap.lrau.net. 3600 IN TXT "tR0VhMRfb4v5WsctEgoD3aWNRJ73n2wqn9hlTPE9pA0"

;; TSIG PSEUDOSECTION:
ddns-key. 0 ANY TSIG hmac-sha256. 1584206515 300 32 . . . 41111 NOERROR 0 


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  41111
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;lrau.net. IN SOA

;; TSIG PSEUDOSECTION:
ddns-key. 0 ANY TSIG hmac-sha256. 1584206515 300 32 . . . 41111 NOERROR 0 

Answer:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  41111
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;lrau.net. IN SOA

;; TSIG PSEUDOSECTION:
ddns-key. 0 ANY TSIG hmac-sha256. 1584206515 300 32 . . . 41111 NOERROR 0 

# dig _acme-challenge.imap.lrau.net.  @localhost

; <<>> DiG 9.16.0 <<>> _acme-challenge.imap.lrau.net. @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6153
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 404b9f34e94920a4ef3dd3065e6d14308acdeabfe0744b88 (good)
;; QUESTION SECTION:

;; AUTHORITY SECTION:
lrau.net. 3600 IN SOA ns4.lrau.net. hostmaster.lrau.net. 2020030850 86400 7200 604800 3600

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Mar 14 17:28:16 UTC 2020
;; MSG SIZE  rcvd: 145

(pki_dev_p37) [root@hermes /usr/local/py_venv/pki_dev_p37/src]# 

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users