I have a question to ask you: I am creating a script to use with certbot for the renewal of certificates via DNS, everything works correctly on the same machine where BIND is also running (this machine is experimental).
Since the automation tests had a good result, it's time to move to production, the problem (which I haven't thought about before) is that the DNS server (BIND) is on another dedicated machine, while the other machines using certbot for renewals are on others, but all communicate on a second private network (not public).
How can I make my script that simply add a TXT record to the DNS zone, then perform a BIND reload, verify the propagation, delete the created TXT record and finally do a reload again, can send these instructions to the machine which DNS securely?
I obviously thought via ssh, but I have no idea how to secure the credentials that would still remain on the machines running certbot.
I also thought of containing all the certificates on the DNS machine (not very secure) to solve the problem ... But anyway, once the certificates have been renewed / generated I will have to send them to the various machines via SCP or other, always having to keep the credentials.
P.S. OS Debian.
I hope for your cooperation, a big greeting MrTaik!
