rfc2136 support?

eroiITguy

New Member
Hello,

In researching lets encrypt and dynamic dns, I have learned a lot about rfc2136. I just looked at zoneedit's dynamic dns information: but it leaves a pertinant question unresolved: does zoneedit's dynamic dns use RFC2136?

If so, that seems a shoe-in for pfsense's version of let's encrypt: it has the option ns-update (rfc2136)...

If rfc2136 is supported, I would be happy to provide scripting information for using nsupdate.

Thank you for your time...

--jason
 

sandy neal

Administrator
Staff member
what records are required to be dynamically updated for lets encrypt? I was under the impression that it was a record other then an IP update.

thanks
sandy
 

eroiITguy

New Member
"txt" records are what lets encrypt looks for. The prefix acme uses is _acme-challenge.<fqdn>.

ISC's BIND uses tsig to allow/deny updates.

So in my case, acme would be pushing new records every 60 days or so such as:

_acme-challenge.mydomain.tld. 7200 IN TXT "_63xxxxxe7q8d28H5dJhntJl_0ET5CsxwdD7Buow-o"

--jason
 

sandy neal

Administrator
Staff member
we will have an API available soon that will allow TXT record updates.. for dynamic updates.. at present that is for P address only

thanks and take care
sandy
 

vikinggeek

New Member
+1. This is now holding up providing certificates to multiple project for us. For non *nix host, there is no alternative to dns based renewal. Manually updating TXT records is not practical. Would appreciate priority to this item.
 

sdas2

New Member
Hi @sandy neal,
any update on the dynamic/automatic TXT entry yet? I also use ACME client on pfSense and it's failed to add/update the _acme-challenge.<fqdn> TXT record, hence getting error/warning all over the places. Is there anyway you can help us?
 

sdas2

New Member
hummm............ that's a bit inconvenient for us, as users.
Any idea when we might see that working? Any particular issue (technical or otherwise) that you guys having difficulty to deal with (if you like to share)?

Question to others:
How others are using lets encrypt on pfSense (apart from opening up port 80) as Zoneedit cannot be any helpful at this point of time?

-San
 

vikinggeek

New Member
When we renewed our domain in November I got the following response:
sorry no API yet and no ETA as well... you may want to consider easyDNS.com as easyDNS does offer an API.
Maybe it is time to consider another DNS provider as it seems like ZoneEdit is not getting needed upgrades. Time to escalate?
 

sandy neal

Administrator
Staff member
sorry still no ETA for an API... please consider easyDNS.com as they do offer an API presently.
 
Top