201907-b...@planhack.com wrote:
>> My solution is not to mix dynamic update with other access. Instead,
>> I put in CNAMEs in the signed zone to a sub-zone (or other zone) where
>> I do exclusive dynamic update. This isn't perfect, but it works well
>> enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my
>> certificates.
> Not perfect? What issues did you see? Thanks!
a) there are still a number of situations where systems do not follow CNAMEs
when
they should. Particularly relating to RFC2317 reverse delegations.
b) using a second zones introduces additional possibilities for DNSSEC to be
broken.
c) cruft accumulates in the second zone, and some of it does not get deleted.
d) updates to secondaries sometimes take longer than certbot is able to cope
with.
("up-arrow-return" solves the problem if interactive. Cron running a week
later usually works)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
