Minimum config for BIND, to provide static ACME challenge TXT record responses



  • I have a DNS service that is great in many ways, except one. The issue is that the only API provided is a fairly obscure Plesk-only XML API. It's less than ideal because there is nothing available online that will mediate between Let's Encrypt ACME v2 challenge software such as Certbot, and the XML API, to allow automation of a DNS-01 style challenge. I have checked with the ISP and Plesk and searched carefully online - the answer is "no". (There is an ACME Plesk extension available, but the ISP doesn't have it installed and I wouldn't have use of it on my package anyhow). For various reasons related to frequent network changes (including presence/absence of web server and use of https + wildcards) it's also easiest to use a DNS TXT record challenge rather than an HTTP web server challenge.

    This puts me in a bit of a corner where I have 2 options for automation:

    • I can automate a script to call a Certbot DNS challenge, then run some custom cURL (build the appropriate XML and send it to my host's Plesk API), then call Certbot again to run the ACME renew. This could be set up as a cron job.

    • Or, I can create a CNAME _acme_challenge subdomain alias at my DNS host, point its A + AAAA + NS records to an unused public IP on my pfSense router, and run BIND locally on the router, listening just to that IP on the WAN, at which point I can simply use the standard ACME package (or at worst, upload acme.sh and run it with cron) which can simply use the normal RFC 1236 nsupdate method of automation, and I don't have any custom code at all. Guaranteed to work long-term.

    Both of these will work - I've tested the cURL option, and this page under section 6 "domain-alias mode" makes clear that the second should easily work as well. However I prefer to use BIND because it lets me stick with standard methods + components and avoid an extra element of custom stuff to manage.

    I don't use BIND otherwise, so all it would have to do is provide authoritative DNS TXT records for a single specified domain on a specific external facing IP port 53. All my public IPs are currently locked down on port 53 (no other external facing DNS service in use or expected), so this doesn't conflict with anything. BIND wouldn't store anything except the TXT records needed for the ACME validation-only domain, so it's not a concern to expose it externally. Those entries will mainly be updated using the nsupdate API from the LAN subnet only (via the pfsense ACME package I guess). I do use Unbound already, but it responds only on the LAN interface port 53, so again no conflict.

    My question is, assuming I want to lock down/limit BIND's config as fully as possible and this will be its only/single use, what config is needed under the various pages of the BIND package? It would probably get under 5 legitimate WAN lookup requests every 2 - 3 months.

    Also once I get BIND working, what config is needed in the ACME package to work with it for wildcard certs?