1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
.. Open Infrastructure: service-tools
.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
..
.. SPDX-License-Identifier: GPL-3.0+
..
.. This program is free software: you can redistribute it and/or modify
.. it under the terms of the GNU General Public License as published by
.. the Free Software Foundation, either version 3 of the License, or
.. (at your option) any later version.
..
.. This program is distributed in the hope that it will be useful,
.. but WITHOUT ANY WARRANTY; without even the implied warranty of
.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.. GNU General Public License for more details.
..
.. You should have received a copy of the GNU General Public License
.. along with this program. If not, see <https://www.gnu.org/licenses/>.
===================
dehydrated-nsupdate
===================
---------------------------------------
dehydrated hook for dns-01 verification
---------------------------------------
:manual section: 1
:manual group: Open Infrastructure
Synopsis
========
| **dehydrated-nsupdate**
Description
===========
**dehydrated** is a client for ACME-based Certificate Authorities, such as
LetsEncrypt. It can be used to request and obtain TLS certificates from an
ACME-based certificate authority.
The **dehydrated-nsupdate** hook implements the dns-01 verification. It is
typically run together with **dehydrated-hook** as:
| /etc/dehydrated/hook.d/deploy_challenge.nsupdate
| /etc/dehydrated/hook.d/clean_challenge.nsupdate
Features
========
**dehydrated-nsupdate** has the following features:
| **automatic nameserver detection**
| **dehydrated-nsupdate** automatically finds and updates all authoritative
| nameservers for a given record by looking up the records in the DNS by itself.
| **proper CNAME support**
| **dehydrated-nsupdate** follows CNAMEs delegating the TXT record creation to
| another zone.
| **handling nameserver subzone shortcuts**
| **dehydrated-nsupdate** correctly handles authoritative nameserver
| answers that give shortcut answers for their own zones when using
| multiple subzones.
| **TSIG support**
| **dehydrated-nsupdate** uses TSIG, if provided, to authenticate
| itself to the nameserver.
| **proper removal of TXT records**
| **dehydrated-nsupdate** removes records after succesfull verification.
| **bind9-dnsutils and knot-dnsutils support*
| **dehydrated-nsupdate** works with both nsupdate (bind9) and knsupdate (knot),
| including support for kdigs out-of-tree json output.
| **IDN handling**
| **dehydrated-nsupdate** works with IDN domains by not expanding the punycode.
Files
=====
The following files are used:
/etc/dehydrated/tsig.key:
default location for the TSIG key to be used.
/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/*:
configuration file, currently only used for TSIG_KEYFILE variable pointing
to the tsig.key file to be used (default: /etc/dehydrated/tsig.key).
See also
========
| dehydrated(1),
| dehydrated-cron(1),
| dehydrated-hook(1).
Homepage
========
More information about service-tools and the Open Infrastructure project can be
found on the homepage (https://open-infrastructure.net).
Contact
=======
Bug reports, feature requests, help, patches, support and everything else are
welcome on the Open Infrastructure Software Mailing List
<software@lists.open-infrastructure.net>.
Debian specific bugs can also be reported in the Debian Bug Tracking System
(https://bugs.debian.org).
Authors
=======
service-tools were written by Daniel Baumann
<daniel.baumann@open-infrastructure.net> and others.
|