0

I want to issue a wildcard certificate for a specific domain. We have two dns (bind9) one master - one slave.

When I do a rfc2136 challenge which I configured correctly on the master dns the cryptic string is in a txt at _acme-challenge.domain.com but the problem is that the challenge (sometimes) requests the slave-dns, where the entry is not synced yet.

I know I could do a ssh-tunnel from the server running certbot to the dns-server and run a rndc reload (here I also don't know if the serial is changed by the challenge plugin and also if there is a hook for doing that before the challenge is submitted to the ca)

My question: Can I configure a bind9 master to push stuff to all its slave upon change?

reencode
  • 237
  • 5
  • 15
  • "but the problem is that the challenge (sometimes) requests the slave-dns, where the entry is not synced yet." Then you have a problem between your master and slave. You do not show configuration. Are you using NOTIFY? Changes in master should appear almost immediately in slaves, especially if you control them all. You should work on that first, then the other issue will resolve itself immediately. It is NORMAL and EXPECTED to have DNS queries be split over ALL nameservers. The DNS is NOT: query "master" (outside can't know which is master anyway) then slave. It is always both. – Patrick Mevzek Jan 23 '20 at 15:17
  • "Can I configure a bind9 master to push stuff to all its slave upon change?" This is exactly what NOTIFY is about (even if it just signal the slaves aka the secondaries that they have work to do aka reloading a new zone version). Have a look at https://ftp.isc.org/isc/bind9/cur/9.15/doc/arm/Bv9ARM.ch04.html#notify Also make sure to enable IXFR. – Patrick Mevzek Jan 23 '20 at 15:19

0 Answers0