summaryrefslogtreecommitdiffstats
path: root/dehydrated/share/man/dehydrated-nsupdate.1.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2022-06-14 11:48:44 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2022-06-14 12:00:04 +0000
commitd252334934fb9f2ef0c6195f807d8fa78b4410eb (patch)
treed39927e699cef304bb6f8669d1989f4f407aa6cc /dehydrated/share/man/dehydrated-nsupdate.1.rst
parentAdding upstream version 20220609. (diff)
downloadopen-infrastructure-service-tools-d252334934fb9f2ef0c6195f807d8fa78b4410eb.tar.xz
open-infrastructure-service-tools-d252334934fb9f2ef0c6195f807d8fa78b4410eb.zip
Adding upstream version 20220614.upstream/20220614
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'dehydrated/share/man/dehydrated-nsupdate.1.rst')
-rw-r--r--dehydrated/share/man/dehydrated-nsupdate.1.rst127
1 files changed, 88 insertions, 39 deletions
diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst
index db58d5c..059a269 100644
--- a/dehydrated/share/man/dehydrated-nsupdate.1.rst
+++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst
@@ -36,15 +36,12 @@ Synopsis
Description
===========
-**dehydrated** is a client for ACME-based Certificate Authorities, such as
-LetsEncrypt. It can be used to request and obtain TLS certificates from an
-ACME-based certificate authority.
+**dehydrated** is a client for ACME-based Certificate Authorities, such as LetsEncrypt. It can be used to request and obtain TLS certificates from an ACME-based certificate authority.
-The **dehydrated-nsupdate** hook implements the dns-01 verification. It is
-typically run together with **dehydrated-hook** as:
+The **dehydrated-nsupdate** hook implements the dns-01 verification. It is typically run together with **dehydrated-hook** as:
+|
| /etc/dehydrated/hook.d/deploy_challenge.nsupdate
-
| /etc/dehydrated/hook.d/clean_challenge.nsupdate
Features
@@ -52,32 +49,87 @@ Features
**dehydrated-nsupdate** has the following features:
-| **automatic nameserver detection**
-| **dehydrated-nsupdate** automatically finds and updates all authoritative
-| nameservers for a given record by looking up the records in the DNS by itself,
-| supporting IPv6-only, IPv4-only, and dual-stacked environments.
+Automatic nameserver detection (IPv4 and IPv6)
+----------------------------------------------
+
+dehydrated-nsupdate automatically finds and updates all authoritative nameservers for a given record by looking up the records in the DNS by itself, supporting IPv6-only, IPv4-only, and dual-stacked environments.
+
+Proper CNAME support
+--------------------
+
+dehydrated-nsupdate follows CNAMEs delegating the TXT record update to another zone.
+
+Handling nameserver subzone shortcuts
+-------------------------------------
+
+dehydrated-nsupdate correctly handles authoritative nameserver answers that (wrongly) give shortcut answers for their own zones when using multiple authoritative subzones on the same nameservers.
+
+TSIG support
+------------
-| **proper CNAME support**
-| **dehydrated-nsupdate** follows CNAMEs delegating the TXT record creation to
-| another zone.
+dehydrated-nsupdate uses TSIG, if provided, to authenticate itself to the nameserver. Additionally to a global TSIG to be used for all record updates, separate TSIGs can individually be specified per record, per zone, and per nameserver.
-| **handling nameserver subzone shortcuts**
-| **dehydrated-nsupdate** correctly handles authoritative nameserver
-| answers that give shortcut answers for their own zones when using
-| multiple subzones.
+Proper removal of TXT records
+-----------------------------
-| **TSIG support**
-| **dehydrated-nsupdate** uses TSIG, if provided, to authenticate
-| itself to the nameserver.
+dehydrated-nsupdate removes records after succesfull verification.
+
+bind9-dnsutils and knot-dnsutils support
+----------------------------------------
+
+dehydrated-nsupdate works with both nsupdate (bind9) and knsupdate (knot).
+
+IDN handling
+------------
+
+dehydrated-nsupdate works with IDN domains by not expanding the punycode to update the correct records.
+
+Usage
+=====
-| **proper removal of TXT records**
-| **dehydrated-nsupdate** removes records after succesfull verification.
+dehydrated-hook(1) is a prerequisite for dehydrated-nsupdate.
-| **bind9-dnsutils and knot-dnsutils support*
-| **dehydrated-nsupdate** works with both nsupdate (bind9) and knsupdate (knot).
+Installation
+------------
-| **IDN handling**
-| **dehydrated-nsupdate** works with IDN domains by not expanding the punycode.
+| sudo echo CHALLENGETYPE="dns-01" > /etc/dehydrated/conf.d/zz-challengetype.sh
+| sudo ln -s /usr/bin/dehydrated-nsupdate /etc/dehydrated/hook.d/deploy_challenge.nsupdate
+| sudo ln -s /usr/bin/dehydrated-nsupdate /etc/dehydrated/hook.d/clean_challenge.nsupdate
+
+Removal
+-------
+
+| sudo rm -f /etc/dehydrated/conf.d/zz-challengetype.sh
+| sudo rm -f /etc/dehydrated/hook.d/deploy_challenge.nsupdate
+| sudo rm -f /etc/dehydrated/hook.d/clean_challenge.nsupdate
+
+Configuration
+=============
+
+Depending on the nameserver requirements, dehydrated-nsupdate can send record updates either unauthenticated or using a TSIG (recommended).
+
+A TSIG file consists of one single line containing the key (nsupdate/knsupdate do not allow comments), e.g.:
+
+|
+| hmac-sha512:example:/LXPy6U8HAWA+QmvulZWm0owsQgNf8qJ5MNLTvirzvVtDb+PzLKoBmVHjnL6TUffkvRYa7Do448dSIrAuJ1G/A==
+
+Instead of using a global TSIG for all record update, specific TSIGs can be used individually per record, zone, and nameserver.
+
+The lookup hierarchy is the following (earliest match wins):
+
+|
+| /etc/dehydrated/tsig/${record}.key
+| /etc/dehydrated/tsig/${zone}.key
+| /etc/dehydrated/tsig/${nameserver}.key
+| /etc/dehydrated/tsig.key
+|
+| TSIG_KEYFILE variable in /etc/default/dehydrated-nsupdate/*
+| TSIG_KEYFILE variable in /etc/default/dehydrated-nsupdate
+
+In order to explicitly not use a TSIG for a specific record, zone, or nameserver, an empty keyfile or a keyfile with only comments can be used, e.g.:
+
+|
+| echo "# disabled" > /etc/dehydrated/tsig/ns1.example.org.key
Files
=====
@@ -85,11 +137,13 @@ Files
The following files are used:
/etc/dehydrated/tsig.key:
- default location for the TSIG key to be used.
+ default location for global TSIG key to be used.
+
+/etc/dehydrated/tsig/${record}.key, /etc/dehydrated/tsig/${zone}.key, /etc/dehydrated/tsig/${nameserver}.key:
+ default locations for specific TSIG keys to be used individually per record, zone, or nameserver.
-/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/*:
- configuration file, currently only used for TSIG_KEYFILE variable pointing
- to the tsig.key file to be used (default: /etc/dehydrated/tsig.key).
+/etc/default/dehydrated-nsupdate, /etc/default/dehydrated-nsupdate.d/\*:
+ configuration file, currently only used for TSIG_KEYFILE variable pointing to the location of the global TSIG key to be used (default: /etc/dehydrated/tsig.key).
See also
========
@@ -101,21 +155,16 @@ See also
Homepage
========
-More information about service-tools and the Open Infrastructure project can be
-found on the homepage (https://open-infrastructure.net).
+More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net).
Contact
=======
-Bug reports, feature requests, help, patches, support and everything else are
-welcome on the Open Infrastructure Software Mailing List
-<software@lists.open-infrastructure.net>.
+Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List <software@lists.open-infrastructure.net>.
-Debian specific bugs can also be reported in the Debian Bug Tracking System
-(https://bugs.debian.org).
+Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org).
Authors
=======
-service-tools were written by Daniel Baumann
-<daniel.baumann@open-infrastructure.net> and others.
+service-tools were written by Daniel Baumann <daniel.baumann@open-infrastructure.net> and others.