diff options
| author | Lexi Winter <ivy@FreeBSD.org> | 2025-06-03 11:38:48 +0100 |
|---|---|---|
| committer | Lexi Winter <ivy@FreeBSD.org> | 2025-06-03 11:38:48 +0100 |
| commit | 1a74f6c55b3c390384dbf603d88bfcedc11c05ff (patch) | |
| tree | 14e51c1e9b6b1547c942e81fc440ca9d9f4eaa62 | |
| parent | ba8bd05587226270b2cd6d2355c37f8857d29815 (diff) | |
| download | lfacme-1a74f6c55b3c390384dbf603d88bfcedc11c05ff.tar.gz lfacme-1a74f6c55b3c390384dbf603d88bfcedc11c05ff.tar.bz2 | |
README: mention tkey-gssapi-keytab
| -rw-r--r-- | README | 16 |
1 files changed, 13 insertions, 3 deletions
@@ -67,10 +67,20 @@ BIND + Kerberos configuration ----------------------------- if you want to use the default (and only) Kerberos dns-01 challenge, you must -configure your DNS server to accept Kerberos-authenticated nsupdates. +configure your DNS server to accept Kerberos-authenticated dynamic updates. -in BIND, an update policy like this will allow any host to update ACME -challenges for its own hostname: +first, tell BIND where to load its Kerberos keytab from: + +options { + tkey-gssapi-keytab "/usr/local/etc/namedb/krb5.keytab"; +}; + +the keytab MUST contain a server key for "DNS/name.of.server@<realm>", where +"name.of.server" MUST be the SOA MNAME for the zone(s) you want to update. +this is not configurable, it's a requirement of how the protocol works. + +an update policy like this will allow any host to update ACME challenges for +its own hostname: update-policy { # note: "EXAMPLE.ORG" is the Kerberos realm, not the DNS zone! |