nsupdate method and _acme-challenge key for TXT DNS record

  • I'm trying to use nsupdate as a validation method.

    In documentation I read:"Before starting, an appropriate DNS key and settings must be in place in the DNS ...".

    Where can I get this DNS key?


  • Yep.

    The nsupdate method uses the 'nsupdate' executable that negociates an access with a DNS server that supports nsupdate, also known as RFC 2136.

    Take a look here https://docs.netgate.com/pfsense/en/latest/recipes/bind-rfc2136.html what it is all about and an example.

  • Thank you @Gertjan

    Please, can you help me verify that I have correctly understood the procedure? (my situation is different from the one described in the documentation: I don't have a bind server, I just need the key to enter the Aruba DNS).

    • ssh login to pfsense
    • create and execute make-ddns-host.sh script
    • use the generated key (${KEY_TEXT}) to create _acme-challenge record

    It's correct?

    Thanks so much for your help.

  • LAYER 8 Netgate

    You need a BIND server, or some other DNS server that supports RFC2136. The make-ddns-host.sh script there is intended to be run on the host with BIND on it, not pfSense.

    You don't necessarily have to build a DNS server yourself if you can find a provider that does it.

    Dyn does but not on free accounts:


  • @trigg3r : I use the nsupdate method of acme because I have my own domain server that "hosts" all my domain names - it's the master DNS server, and it's bind.

    I'm not depending on any registrar's DNS services, except the annual domain fee.
    DNS Slaves, DNSSEC, HSTS, DANE, I've decided to keep it all 'in house' (for pure personal amusement - I have to say).

  • LAYER 8 Netgate

    I do the same except my local BIND is the master and HE.NET pulls the zones as a slave. NOTIFY works when I update something locally. This is a marginal solution for acme because it is sometimes a couple minutes before the zone is pulled and applied by hurricane after the NOTIFY. It's sort of tedious when I'm testing it but after it's working I just set it to wait 5 minutes after the nsupdate before testing and the automated process works fine. And HE.NET is free-from-fee.

    This lets me not worry about putting my home stuff in the NS records in the registrar/roots. HE.NET are the only servers the world knows about. And the firewall rules into the local DMZ BIND are limited to HE.NET sources only.

  • @Derelict Maybe I am wrong, but I think that in most cases the domain nameservers point to the DNS servers of the provider where the domain is registered. In these cases I do not think it is easy to get the script execution by the provider ...

  • @trigg3r said in nsupdate method and _acme-challenge key for TXT DNS record:

    In these cases I do not think it is easy to get the script execution by the provider ...

    None of your scripts (methods) is execute on the registrar's side.

    The "nsupdate" update method is a script running locally, using the RFC2136 protocol.
    DNS servers like bind (can) support the protocol.

    Most domain registrars do not support RFC2136, they implemented an API so their users can communicate with the domain DNS server. Most often, they also have some sort of GUI where you can log in, and change 'manually' IP's, subdomains, etc. Their GUI uses also this API on the inside.
    acme has DNS update methods, and these use the API of the domain registrar. One should always choose a registrar that has such a API if you want to obtain LetsEnscrypt certs.

  • LAYER 8 Netgate

    @Derelict said in nsupdate method and _acme-challenge key for TXT DNS record:


    Like I said, dyn supports it but not free.

    You can use any of the DNS providers listed as well even though their API might differ from RFC2136.

  • @Gertjan thanks a lot!