I'm running a bind9
(9.9.5) DNS-server (on Debian/jessie).
I have configured one zone to allow dynamic updates, and would like to add TXT
records for specific hosts within that zone.
Here's a sample setup (named.conf)
zone "example.com" {
type master;
notify yes;
allow-update { key secret-key; };
file "/etc/bind/db.example.com";
};
And the accompanying db.example.com file:
$ORIGIN .
$TTL 604800 ; 1 week
example.com IN SOA dns.example.com root.example.com. (
1 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.example.org.
NS dns1.example.org.
NS dns2.example.org.
$ORIGIN example.com.
* MX 10 mail.example.com.
mail A 127.0.0.1
http A 127.0.1.1
Using my secret-key, I can dynamically add a new record directly in that zone (e.g. create a TXT record for _acme-challenge.example.com
).
However, what I really want to do is add subdomain records for hosts within the zone. E.g. in the zone example.com
, there is an A record mail.example.com
, and I would like to dynamically add a TXT record for _acme-challenge.mail.example.com
.
Unfortunately, my nameserver doesn't like this and refuses to work with
secret-key: updating zone 'example.com/IN': update failed: not authoritative for update zone (NOTAUTH)
I can add that record manually into the db-file, and it works fine.
_acme-challenge.mail TXT "secretstring"
However, i would like to automate this (given that this is part of deploying letsencrypt certificates via DNS-01
challenge), so manually setting the records is not an option.
Any ideas what is going wrong and how I can update my TXT-records automatically?
update: the script
the actual update is implemented with python-dnspython, and looks like:
update = dns.update.Update("mail.example.com", ...)
update.add("_acme-challenge", 500, "TXT", token)
response = dns.query.udp(update, name_server_ip)