-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Usability improvements for dns-rfc2136 plugin #7206
Comments
bind is not the only server providing this service based on RFC2136. |
We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed. |
*pokes bot* |
Fixes #7206. I think it's about time we did this: - `dnssec-keygen` on new distros doesn't support the HMAC algorithms anymore, so our instructions don't work. - The oldest distros we support are Debian Buster (`9.11.5.P4+dfsg-5.1+deb10u7`) and CentOS 7 (`9.11.4-26.P2.el7_9.9`), which ship `tsig-keygen` and support `HMAC-SHA512`.
This community thread points out two issues with the current plugin:
The name is confusing. Most people don't know what RFC2136 is. We should probably add an alias like
dns-bind
ordns-nsupdate
(after the widely used CLI update tool).The instructions to use dnssec-keygen should be replaced with tsig-keygen for Bind 9.13+. Though @joohoi pointed out on chat that most distros are still on Bind 9.11 so far.
The text was updated successfully, but these errors were encountered: