diff --git a/example-dns-01-nsupdate-script.md b/example-dns-01-nsupdate-script.md index 97436f4..ef024f8 100644 --- a/example-dns-01-nsupdate-script.md +++ b/example-dns-01-nsupdate-script.md @@ -75,7 +75,7 @@ zone "_acme-challenge." { }; ~~~ -This is the most secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. +This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. Use /dev/random as an argument for dnssec-keygen for key generation to increase security further. An alternative approach is to use CNAMEs to put all your dynamic updates into a single zone. You will need to modify the script: