From fb8ddb85c26e8f6fc67a698a38d647030d037634 Mon Sep 17 00:00:00 2001 From: JP Mens Date: Sat, 19 Dec 2020 12:47:50 +0100 Subject: [PATCH] Replace dnssec-keygen by tsig-keygen because the former has been deprecated for creating TSIG keys. --- example-dns-01-nsupdate-script.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/example-dns-01-nsupdate-script.md b/example-dns-01-nsupdate-script.md index ef024f8..b0c5d30 100644 --- a/example-dns-01-nsupdate-script.md +++ b/example-dns-01-nsupdate-script.md @@ -57,7 +57,7 @@ To avoid making your entire production DNS subject to dynamic DNS updates, then 1. In your main DNS infrastructure create a delegation: `_acme-challenge.. NS .` 2. Create a new zone `_acme-challenge.` on ``, with an empty zonefile (just an SOA and NS record), writeable by the nameserver -3. Create a new TSIG key: `dnssec-keygen -r /dev/urandom -a hmac-sha512 -b 128 -n HOST ` +3. Create a new TSIG key: `tsig-keygen -a sha512 ` 4. Enable dynamic updates on the `_acme-challenge.` zone with this key e.g. for bind9: @@ -75,7 +75,7 @@ zone "_acme-challenge." { }; ~~~ -This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. Use /dev/random as an argument for dnssec-keygen for key generation to increase security further. +This is a secure approach because each host will have its own key, and hence can only obtain certificates for those domains you have explicitly authorized it for. An alternative approach is to use CNAMEs to put all your dynamic updates into a single zone. You will need to modify the script: