wildcard only with dns01 ? how dns01 works ? #306

New Issue

adam · 2025-12-29T01:21:47+01:00

adam commented

2025-12-29 01:21:47 +01:00

Originally created by @UtechtDustin on GitHub (Mar 14, 2018).

I added *.domain.de to my domains.txt.
After run ./dehydrated -c i get the message that this only works with dns01... but i cant figure out how dns01 works...
I have a debian (8) server... can you explain it me ?

Originally created by @UtechtDustin on GitHub (Mar 14, 2018). I added *.domain.de to my domains.txt. After run ./dehydrated -c i get the message that this only works with dns01... but i cant figure out how dns01 works... I have a debian (8) server... can you explain it me ?

adam closed this issue

2025-12-29 01:21:47 +01:00

adam commented

2025-12-29 01:21:48 +01:00

@lukas2511 commented on GitHub (Mar 14, 2018):

Please have a look at the documentation (https://github.com/lukas2511/dehydrated/blob/master/docs/dns-verification.md) and/or search for existing tutorials on the web.
Basically instead of uploading/copying a file to a webserver there are certain DNS entries that have to be set for validation.

@lukas2511 commented on GitHub (Mar 14, 2018): Please have a look at the documentation (https://github.com/lukas2511/dehydrated/blob/master/docs/dns-verification.md) and/or search for existing tutorials on the web. Basically instead of uploading/copying a file to a webserver there are certain DNS entries that have to be set for validation.

adam commented

2025-12-29 01:21:48 +01:00

@UtechtDustin commented on GitHub (Mar 14, 2018):

@lukas2511
I already searched but i dont understand how i can figure out my dns server and how i can push the stuff to the dns server..

@UtechtDustin commented on GitHub (Mar 14, 2018): @lukas2511 I already searched but i dont understand how i can figure out my dns server and how i can push the stuff to the dns server..

adam commented

2025-12-29 01:21:48 +01:00

@lukas2511 commented on GitHub (Mar 14, 2018):

@Falseee you'll need to use a hook script and an api provided by your dns provider (if there is any), there are also ways to do this by hand and there are ton of examples and tutorials over in the wiki: https://github.com/lukas2511/dehydrated/wiki/Examples-for-DNS-01-hooks

@lukas2511 commented on GitHub (Mar 14, 2018): @Falseee you'll need to use a hook script and an api provided by your dns provider (if there is any), there are also ways to do this by hand and there are ton of examples and tutorials over in the wiki: https://github.com/lukas2511/dehydrated/wiki/Examples-for-DNS-01-hooks

adam commented

2025-12-29 01:21:50 +01:00

@txr13 commented on GitHub (Mar 14, 2018):

dns-01 is a method of validating your control of a domain. It requires the use of a hook script.

In order to implement this, you will need to keep a few things in mind:

If your domains.txt has a wildcard as the first entry on a line, you will need to set an alias for the certificate.
You will need to select the dns-01 challenge type in your main config or in your per-certificate config.
You will need to implement a hook script in order to process the dns-01 challenges. (Examples are given in the link @lukas2511 gave you.)

@txr13 commented on GitHub (Mar 14, 2018): dns-01 is a method of validating your control of a domain. It requires the use of a hook script. In order to implement this, you will need to keep a few things in mind: - If your domains.txt has a wildcard as the **first** entry on a line, you will need to set an alias for the certificate. - You will need to select the dns-01 challenge type in your main config or in your per-certificate config. - You will need to implement a hook script in order to process the dns-01 challenges. (Examples are given in the link @lukas2511 gave you.)

adam commented

2025-12-29 01:21:50 +01:00

@UtechtDustin commented on GitHub (Mar 14, 2018):

@lukas2511 @txr13
I think my dns provider has no api, so i want to add it manuell.
Should no problem because i only have ONE domain.
Where i can find a tutorial for manuell dns01 challenge ?

@UtechtDustin commented on GitHub (Mar 14, 2018): @lukas2511 @txr13 I think my dns provider has no api, so i want to add it manuell. Should no problem because i only have ONE domain. Where i can find a tutorial for manuell dns01 challenge ?

adam commented

2025-12-29 01:21:50 +01:00

@txr13 commented on GitHub (Mar 14, 2018):

@Falseee I don't know where you can find a tutorial for that, but there are DNS hooks available that can print the required domains on the console (https://github.com/owhen/dns-01-manual), or email them to you (https://github.com/bennettp123/dehydrated-email-notify-hook).

These are both linked from the examples page that Lukas gave you. I have personally implemented both of these hooks for various cases, and they will certainly work... but the details of exactly how they work will depend greatly on your own environment, and that's very likely not something that we can coach you through in this environment.

@txr13 commented on GitHub (Mar 14, 2018): @Falseee I don't know where you can find a tutorial for that, but there are DNS hooks available that can print the required domains on the console (https://github.com/owhen/dns-01-manual), or email them to you (https://github.com/bennettp123/dehydrated-email-notify-hook). These are both linked from the examples page that Lukas gave you. I have personally implemented both of these hooks for various cases, and they will certainly work... but the details of exactly _how_ they work will depend greatly on your own environment, and that's very likely not something that we can coach you through in this environment.

adam commented

2025-12-29 01:21:51 +01:00

@LwsBtlr commented on GitHub (Mar 16, 2018):

On 14 Mar 2018, at 15:00, txr13 notifications@github.com wrote:

dns-01 is a method of validating your control of a domain. It requires the use of a hook script.

I can’t simply add the txt records to the DNS entry?

I am overwhelmed by the choices available, and no mention of bind (which I use for DNS).

The issue on reading up on DNS01 is that $4 is a challenge string, but I don’t know where that comes from.

@LwsBtlr commented on GitHub (Mar 16, 2018): On 14 Mar 2018, at 15:00, txr13 <notifications@github.com> wrote: > dns-01 is a method of validating your control of a domain. It requires the use of a hook script. I can’t simply add the txt records to the DNS entry? I am overwhelmed by the choices available, and no mention of bind (which I use for DNS). The issue on reading up on DNS01 is that $4 is a challenge string, but I don’t know where that comes from.

adam commented

2025-12-29 01:21:51 +01:00

@jobe1986 commented on GitHub (Mar 16, 2018):

For BIND you will need to enable dynamic updates on the zone using allow-update {}; or update-policy {}; and then use the nsupdate method. For a beginner with dynamic DNS in BIND, I'd suggest starting off with allow-update {}; as that method only authenticates based on IP address of the client. However using update-policy {}; is far more secure in the long run.

An example of an allow-update configuration (added INSIDE a zone {} block) which would allow dynamic updates from clients who's IP address is 127.0.0.1:

allow-update { 127.0.0.1; };

To use update-policy instead, simply running the command "ddns-confgen" on your command line will give you some basic instructions and generate you a new random key like so:

# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "ddns-key" {
        algorithm hmac-sha256;
        secret "GnYdTr7w86nVkqXGympmFeBkcN071ysvMz+v6sfk51M=";
};

# Then, in the "zone" statement for each zone you wish to dynamically
# update, place an "update-policy" statement granting update permission
# to this key.  For example, the following statement grants this key
# permission to update any name within the zone:
update-policy {
        grant ddns-key zonesub ANY;
};

# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <keyfile>

Note: After enabling dynamic updates for a zone in BIND, you will not be able to simply edit the zone file and run rndc reload to update the DNS anymore. The procedure to do so is either using nsupdate or run "rndc freeze ", edit the zone file, then run "rndc thaw " to reload the updated data

@jobe1986 commented on GitHub (Mar 16, 2018): For BIND you will need to enable dynamic updates on the zone using allow-update {}; or update-policy {}; and then use the nsupdate method. For a beginner with dynamic DNS in BIND, I'd suggest starting off with allow-update {}; as that method only authenticates based on IP address of the client. However using update-policy {}; is far more secure in the long run. An example of an allow-update configuration (added INSIDE a zone {} block) which would allow dynamic updates from clients who's IP address is 127.0.0.1: ``` allow-update { 127.0.0.1; }; ``` To use update-policy instead, simply running the command "ddns-confgen" on your command line will give you some basic instructions and generate you a new random key like so: ``` # To activate this key, place the following in named.conf, and # in a separate keyfile on the system or systems from which nsupdate # will be run: key "ddns-key" { algorithm hmac-sha256; secret "GnYdTr7w86nVkqXGympmFeBkcN071ysvMz+v6sfk51M="; }; # Then, in the "zone" statement for each zone you wish to dynamically # update, place an "update-policy" statement granting update permission # to this key. For example, the following statement grants this key # permission to update any name within the zone: update-policy { grant ddns-key zonesub ANY; }; # After the keyfile has been placed, the following command will # execute nsupdate using this key: nsupdate -k <keyfile> ``` Note: After enabling dynamic updates for a zone in BIND, you will not be able to simply edit the zone file and run rndc reload to update the DNS anymore. The procedure to do so is either using nsupdate or run "rndc freeze <zone>", edit the zone file, then run "rndc thaw <zone>" to reload the updated data

adam commented

2025-12-29 01:21:51 +01:00

@txr13 commented on GitHub (Mar 16, 2018):

@LwsBtlr You absolutely can edit DNS by hand. Some of the hook scripts are built for that—they tell you what TXT entries to make, and wait for you to do so.

But given a method to make your updates automated (like @jobe1986 has outlined), you should definitely look at it. The whole point of this is to have an Automated Certificate Management Environment, after all. ;)

@txr13 commented on GitHub (Mar 16, 2018): @LwsBtlr You absolutely can edit DNS by hand. Some of the hook scripts are built for that—they tell you what TXT entries to make, and wait for you to do so. But given a method to make your updates automated (like @jobe1986 has outlined), you should definitely look at it. The whole point of this is to have an Automated Certificate Management Environment, after all. ;)

adam commented

2025-12-29 01:21:52 +01:00

@LwsBtlr commented on GitHub (Mar 17, 2018):

On 2018-03-16 (02:56 MDT), Matthew Beeching notifications@github.com wrote:

However using update-policy {}; is far more secure in the long run.

Is there LE-specific documentation on how to do this? update-policy isn't something I've run into before (I am not on dynamic DNS).

@LwsBtlr commented on GitHub (Mar 17, 2018): On 2018-03-16 (02:56 MDT), Matthew Beeching <notifications@github.com> wrote: > > However using update-policy {}; is far more secure in the long run. Is there LE-specific documentation on how to do this? update-policy isn't something I've run into before (I am not on dynamic DNS).

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#306