summaryrefslogtreecommitdiffstats
path: root/dehydrated/share/man/dehydrated-nsupdate.1.rst
blob: f1a8c4ad12ffa9da358e670c59e0e4ca25eff4a9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
.. Open Infrastructure: service-tools

.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
..
.. SPDX-License-Identifier: GPL-3.0+
..
.. This program is free software: you can redistribute it and/or modify
.. it under the terms of the GNU General Public License as published by
.. the Free Software Foundation, either version 3 of the License, or
.. (at your option) any later version.
..
.. This program is distributed in the hope that it will be useful,
.. but WITHOUT ANY WARRANTY; without even the implied warranty of
.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.. GNU General Public License for more details.
..
.. You should have received a copy of the GNU General Public License
.. along with this program.  If not, see <https://www.gnu.org/licenses/>.

===================
dehydrated-nsupdate
===================

---------------------------------------
dehydrated hook for dns-01 verification
---------------------------------------

:manual section: 1
:manual group: Open Infrastructure

Synopsis
========

| **dehydrated-nsupdate**

Description
===========

**dehydrated** is a client for ACME-based Certificate Authorities, such as
LetsEncrypt. It can be used to request and obtain TLS certificates from an
ACME-based certificate authority.

The **dehydrated-nsupdate** hook implements the dns-01 verification. It is
typically run together with **dehydrated-hook** as:

| /etc/dehydrated/hook.d/deploy_challenge.nsupdate

| /etc/dehydrated/hook.d/clean_challenge.nsupdate

Features
========

**dehydrated-nsupdate** has the following features:

| **automatic nameserver detection**
| **dehydrated-nsupdate** automatically finds and updates all authoritative
| nameservers for a given record by looking up the records in the DNS by itself.

| **proper CNAME support**
| **dehydrated-nsupdate** follows CNAMEs delegating the TXT record creation to
| another zone.

| **handling nameserver subzone shortcuts**
| **dehydrated-nsupdate** correctly handles authoritative nameserver
| answers that give shortcut answers for their own zones when using
| multiple subzones.

| **TSIG support**
| **dehydrated-nsupdate** uses TSIG, if provided, to authenticate
| itself to the nameserver.

| **proper removal of TXT records**
| **dehydrated-nsupdate** removes records after succesfull verification.

| **bind9-dnsutils and knot-dnsutils support*
| **dehydrated-nsupdate** works with both nsupdate (bind9) and knsupdate (knot),
| including support for kdigs out-of-tree json output.

| **IDN handling**
| **dehydrated-nsupdate** works with IDN domains by not expanding the punycode.

Files
=====

The following files are used:

/etc/dehydrated/tsig.key:
  default location for the TSIG key to be used.

/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/*:
  configuration file, currently only used for TSIG_KEYFILE variable pointing
  to the tsig.key file to be used (default: /etc/dehydrated/tsig.key).

See also
========

| dehydrated(1),
| dehydrated-cron(1),
| dehydrated-hook(1).

Homepage
========

More information about service-tools and the Open Infrastructure project can be
found on the homepage (https://open-infrastructure.net).

Contact
=======

Bug reports, feature requests, help, patches, support and everything else are
welcome on the Open Infrastructure Software Mailing List
<software@lists.open-infrastructure.net>.

Debian specific bugs can also be reported in the Debian Bug Tracking System
(https://bugs.debian.org).

Authors
=======

service-tools were written by Daniel Baumann
<daniel.baumann@open-infrastructure.net> and others.