diff options
Diffstat (limited to 'lfacme-kerberos.7.in')
| -rw-r--r-- | lfacme-kerberos.7.in | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/lfacme-kerberos.7.in b/lfacme-kerberos.7.in index b3afd0c..8b9f85e 100644 --- a/lfacme-kerberos.7.in +++ b/lfacme-kerberos.7.in @@ -66,6 +66,32 @@ This must contain a key for the principal configured by The default value is .Pa /etc/krb5.keytab . .El +.Sh DNS SERVER CONFIGURATION +For +.Nm +to work, the DNS server must be configured to accept Kerberos-authenticated +Dynamic DNS updates. +Using ISC BIND, this can be achieved using a zone update-policy. +For example, to allow any host in the +.Dq EXAMPLE.ORG +Kerberos realm to issue certificates for its own hostname +(and subdomains thereof): +.Bd -literal -offset indent +update-policy { + grant EXAMPLE.ORG krb5-selfsub . TXT; +}; +.Ed +.Pp +Or to allow a specific host to issue certificates for a different DNS label: +.Bd -literal -offset indent +update-policy { + grant "host/server.example.org@EXAMPLE.ORG" + name _acme-challenge.www.example.org. TXT; +}; +.Ed +.Pp +Suitable configuration for other DNS servers (e.g., the Microsoft Windows +DNS server) is left as an exercise for the reader. .Sh SEE ALSO .Xr acme.conf 5 , .Xr domains.conf 5 , |