.\" This source code is released into the public domain.
.Dd June 4, 2025
.Dt LFACME-KERBEROS 5
.Os
.Sh NAME
.Nm lfacme-kerberos
.Nd validate an ACME challenge via GSS-TSIG DNS updates
.Sh SYNOPSIS
In
.Xr domains.conf 5 :
.Bd -ragged -offset indent
.Ar domain
challenge=kerberos
.Ed
.Sh DESCRIPTION
The
.Nm
challenge hook will respond to an ACME domain validation using a DNS-based
.Dq dns-01
authorization with GSS-TSIG Dynamic DNS updates.
To use this challenge hook, configure one or more domains with
.Dq challenge=kerberos
in
.Xr domains.conf 5 .
.Pp
The
.Dq dns-01
challenge expects the authorization token to be created as a TXT record at the
DNS name
.Dq _acme-challenge. Ns Ar domain .
When
.Nm
responds to the challenge, it will use
.Xr nsupdate 1
with the 
.Fl g
flag to create this token.
The DNS update will be sent to the zone's master server, as determined by the
MNAME field in the SOA record.
.Pp
Before sending the update,
.Nm
will retrieve a Kerberos ticket using
.Xr kinit 1
for the principal configured by
.Ar ACME_KERBEROS_PRINCIPAL
in
.Xr acme.conf 5 .
.Sh CONFIGURATION
The
.Nm
challenge hook supports the following configuration options in
.Xr acme.conf 5 :
.Bl -tag -width indent
.It Va ACME_KERBEROS_PRINCIPAL
The Kerberos principal to authenticate as when sending the DNS update.
The default value is
.Dq host/$(hostname) ,
which assumes a default realm has been configured in
.Pa /etc/krb5.conf .
Explicitly configuring the principal is recommended, but not required.
.It Va ACME_KERBEROS_KEYTAB
The keytab used to issue the Kerberos ticket.
This must contain a key for the principal configured by
.Va ACME_KERBEROS_PRINCIPAL .
The default value is
.Pa /etc/krb5.keytab .
.El
.Sh SEE ALSO
.Xr acme.conf 5 ,
.Xr domains.conf 5 ,
.Xr kinit 1 ,
.Xr lfacme-renew 8 ,
.Xr nsupdate 1