rfc2136 support?


New Member

In researching lets encrypt and dynamic dns, I have learned a lot about rfc2136. I just looked at zoneedit's dynamic dns information: but it leaves a pertinant question unresolved: does zoneedit's dynamic dns use RFC2136?

If so, that seems a shoe-in for pfsense's version of let's encrypt: it has the option ns-update (rfc2136)...

If rfc2136 is supported, I would be happy to provide scripting information for using nsupdate.

Thank you for your time...


sandy neal

Staff member
what records are required to be dynamically updated for lets encrypt? I was under the impression that it was a record other then an IP update.



New Member
"txt" records are what lets encrypt looks for. The prefix acme uses is _acme-challenge.<fqdn>.

ISC's BIND uses tsig to allow/deny updates.

So in my case, acme would be pushing new records every 60 days or so such as:

_acme-challenge.mydomain.tld. 7200 IN TXT "_63xxxxxe7q8d28H5dJhntJl_0ET5CsxwdD7Buow-o"


sandy neal

Staff member
we will have an API available soon that will allow TXT record updates.. for dynamic updates.. at present that is for P address only

thanks and take care


New Member
+1. This is now holding up providing certificates to multiple project for us. For non *nix host, there is no alternative to dns based renewal. Manually updating TXT records is not practical. Would appreciate priority to this item.


New Member
Hi @sandy neal,
any update on the dynamic/automatic TXT entry yet? I also use ACME client on pfSense and it's failed to add/update the _acme-challenge.<fqdn> TXT record, hence getting error/warning all over the places. Is there anyway you can help us?


New Member
hummm............ that's a bit inconvenient for us, as users.
Any idea when we might see that working? Any particular issue (technical or otherwise) that you guys having difficulty to deal with (if you like to share)?

Question to others:
How others are using lets encrypt on pfSense (apart from opening up port 80) as Zoneedit cannot be any helpful at this point of time?



New Member
When we renewed our domain in November I got the following response:
sorry no API yet and no ETA as well... you may want to consider easyDNS.com as easyDNS does offer an API.

Maybe it is time to consider another DNS provider as it seems like ZoneEdit is not getting needed upgrades. Time to escalate?

sandy neal

Staff member
sorry still no ETA for an API... please consider easyDNS.com as they do offer an API presently.


New Member
Can I add a +1 for this feature please.
pfsense use this feature


Only DNS providers who have an API can be supported by lexicon.

The current supported providers are: Less zoneedit

time to change ?

Aliyun.com (docs)
AuroraDNS (docs)
AWS Route53 (docs)
Azure DNS (docs)
Cloudflare (docs)
ClouDNS (docs)
CloudXNS (docs)
ConoHa (docs)
Constellix (docs)
DigitalOcean (docs)
Dinahosting (docs)
DirectAdmin (docs)
DNSimple (docs: v1, v2)
DnsMadeEasy (docs)
DNSPark (docs)
DNSPod (docs)
Dreamhost (docs)
EasyDNS (docs)
Easyname (docs)
EUserv (docs)
ExoScale (docs)
Gandi (docs: RPC (old) / LiveAPI)
Gehirn (docs)
Glesys (docs)
GoDaddy (docs)
Google Cloud DNS (docs)
Gransy (sites subreg.cz, regtons.com and regnames.eu, docs)
Hover (docs)
Hurricane Electric DNS (docs)
Hetzner (docs)
Infoblox (docs)
Internet.bs (docs)
INWX (docs)
Linode (docs)
Linode v4 (docs)
LuaDNS (docs)
Memset (docs)
Namecheap (docs)
Namesilo (docs)
Netcup (docs)
NFSN (NearlyFreeSpeech)
NS1 (docs)
OnApp (docs)
OVH (docs)
Plesk (docs)
PointHQ (docs)
PowerDNS (docs)
Rackspace (docs)
Rage4 (docs)
RcodeZero (docs)
Sakura Cloud by SAKURA Internet Inc. (docs)
SafeDNS by UKFast (docs)
SoftLayer (docs)
Subreg (deprecated, use Gransy)
Transip (docs)
Vultr (docs)
Yandex (docs)
Zeit (docs)
Zilore (docs)
Zonomi (docs)