starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-04-23 08:48:30 +02:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Suggest hmac-sha512 by default

Robert Scheck
2018-07-24 00:41:27 +02:00
parent 95244415ea
commit f85e415431
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
example-dns-01-nsupdate-script.md

@@ -48,7 +48,7 @@ The file `/path/to/Kdnsupdatekey.private` looks like this:
``` ```
key "<keyname>" { key "<keyname>" {
algorithm hmac-md5; algorithm hmac-sha512;
secret "<key>"; secret "<key>";
}; };
``` ```
@@ -57,14 +57,14 @@ To avoid making your entire production DNS subject to dynamic DNS updates, then
1. In your main DNS infrastructure create a delegation: `_acme-challenge.<domain>. NS <your-nameserver>.` 1. In your main DNS infrastructure create a delegation: `_acme-challenge.<domain>. NS <your-nameserver>.`
2. Create a new zone `_acme-challenge.<domain>` on `<your-nameserver>`, with an empty zonefile (just an SOA and NS record), writeable by the nameserver 2. Create a new zone `_acme-challenge.<domain>` on `<your-nameserver>`, with an empty zonefile (just an SOA and NS record), writeable by the nameserver
3. Create a new TSIG key: `dnssec-keygen -r /dev/urandom -a hmac-md5 -b 128 -n HOST <keyname>` 3. Create a new TSIG key: `dnssec-keygen -r /dev/urandom -a hmac-sha512 -b 128 -n HOST <keyname>`
4. Enable dynamic updates on the `_acme-challenge.<domain>` zone with this key 4. Enable dynamic updates on the `_acme-challenge.<domain>` zone with this key
e.g. for bind9: e.g. for bind9:
~~~ ~~~
key "<keyname>" { key "<keyname>" {
algorithm hmac-md5; algorithm hmac-sha512;
secret "<key>"; secret "<key>";
}; };
zone "_acme-challenge.<domain>" { zone "_acme-challenge.<domain>" {