[Pdns-users] Problems with powerdns and acme.sh and dns_pdns

Frank Altpeter frank.altpeter at gmail.com
Wed Apr 15 10:57:56 UTC 2026 

Hi there,

I'm currently struggling with the configuration of running acme.sh against
a powerdns with dns_pdns on DNSSEC enabled zones.

First of all: Yes I know that my dns server is quite old (4.4.1) but for
reasons beyond my control I can't upgrade that one at the moment. It's on
the TODO but requires some other (non-technical) steps for it.

However... the powerdns is configured to serve my domain with DNSSEC, so it
is configured with the following metadata items:

Metadata items:
SOA-EDIT INCEPTION-INCREMENT
SOA-EDIT-API INCREASE

Normal operation works fine. The secondary dns gets the zone without
problems and manual updates to the zone transfer as expected.

When I run acme.sh to renew a certificate within this zone, the API
connection via dns_pdns works fine, the acme challenge gets inserted into
the zone, but the serial is not increased and therefore the secondary does
not get the notification to fetch the added acme challenge records, and so
the validation from the letsencrypt servers fails.

So... is there any idea what I should test to fix this?
Any pointer (besides "upgrade your pdns") is welcome :-)


p-dns:~ # pdnsutil show-zone domain.net
This is a Master zone
Last SOA serial number we notified: 2026020626 == 2026020626 (serial in the
database)
Metadata items:
SOA-EDIT INCEPTION-INCREMENT
SOA-EDIT-API INCREASE
Zone has NSEC semantics

s-dns:~ # pdnsutil show-zone domain.net
This is a Slave zone
Masters: 1.2.3.4:53 [1:2:3:4]:53
Last time we got update from master: Wed 2026-04-15 12:37:26
SOA serial in database: 2026040901
Refresh interval: 28800 seconds
Metadata items:
PRESIGNED 1
Zone is presigned
Zone has NSEC semantics

# dig +short @p-dns.domain.net domain.net soa
p-dns.domain.net. hostmaster.domain.net. 2026040901 28800 3600 604800 86400

# dig +short @p-dns.domain.net domain.net soa
p-dns.domain.net. hostmaster.domain.net. 2026040901 28800 3600 604800 86400

Regards
Frank

-- 
FA-RIPE || https://linktr.ee/frank42
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20260415/a67fac0c/attachment.htm>

More information about the Pdns-users mailing list