[Pdns-users] Signing one entry with pdnsutil

Brian Candler b.candler at pobox.com
Fri Jul 12 14:52:05 UTC 2024


On 12/07/2024 15:38, Brian Candler via Pdns-users wrote:
>
> Just to clarify: there is no "public key" involved in Letsencrypt. 
> It's just a random challenge, and it's just a TXT record. So all you 
> need to learn is how to add a TXT record to your zone - and then 
> remove it afterwards.
>
> According to docs 
> <https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html> I 
> believe this will be:
>
> pdnsutil replace-rrset/<ZONE>//_acme-challenge//TXT//"blah blah blah"
> /
>
> pdnsutil delete-rrset/<ZONE>//_acme-challenge//TXT/
>
Actually I need to clarify further.

I think that document might be talking about some PDNS Manager magic: a 
key which allows that particular TXT record to be updated with the 
challenge when it comes to certificate issuance time.

So these instructions make sense if you're using PDNS Manager: but you 
say that you're not, they are irrelevant.

You must be using some software for issuing Letsencrypt certificates 
(e.g. certbot, dehydrated, acme.sh). At some point it will give you a 
challenge that you need to put in the DNS. You could do that manually 
with pdnsutil, but more commonly you'd use an API hookup to your 
powerdns server so that the software can do it automatically (because 
you don't want to be doing manual challenge updates every 90 days)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20240712/d6c20f2f/attachment.htm>


More information about the Pdns-users mailing list