nsupdate

Use of K* file pairs for HMAC is deprecated – acme.sh

On Wednesday Oct 6th, I was greeted by these log messages: This is the output from the cronjob run by the acme user in my jail called certs. This is the daily run to renew any certificates which are soon to expire. This is the job in question: [19:36 certs dan ~] % sudo crontab -l -u acme 44 16 * * * /usr/local/sbin/acme.sh –cron –home /var/db/acme/.acme.sh > /dev/null [19:44 certs dan ~] […]

Use of K* file pairs for HMAC is deprecated – acme.sh Read More »

nsupdate – update failed: REFUSED

A while back, the https://www.freebsddiary.org/topics.php#opteron – the colo facility was purchased and the new owners are not interested in donating services to open source projects. That host also acted as a DNS host for all my domain. I pressed a small VPS into service. It handled the query services fine, but updates were sluggish. It took a few hours for it to catch up to Let’s Encrypt renewals. To be fair, this $5

nsupdate – update failed: REFUSED Read More »

Adding new DNS zones when using nsupdate & bind

Back in the good old days, I managed my DNS zones files by checking them into the repo, and then running svn up on the name servers. When I started using Let’s Encrypt, I stopped doing that because of the use of nsupdate. This post outlines how I added two new zones to my nameservers: vbsdcon.org vbsdcon.com The zone files Here is the zone I created. $ cat vbsdcon.org.db vbsdcon.org. 3600 IN SOA

Adding new DNS zones when using nsupdate & bind Read More »

Adjusting the TTL on domain records

I am about to make changes to my mail servers. I am changing third-party providers. In anticipation of this change, I will drop the TTL on my DNS MX records. This should minimize the time it takes for this change to take effect. I say should because not all servers honor the specified TTL. I started with one of my lesser used domains, to make sure I had the nsupdate commands correct. Here

Adjusting the TTL on domain records Read More »

Using nsupdate to change NS servers

You have an old DNS server: tallboy.example.org You have a new DNS server: ns1.example.org You have a domain, example.com, for which you want to swap the old DNS server with the new DNS using nsupdate. NOTE: the domain is example.com The NS servers are in example.org (different domains). These are the commands you issue: update delete example.com. IN NS tallboy.example.org. update add example.com. 3600 IN NS ns1.example.org. send Of note, you mention the

Using nsupdate to change NS servers Read More »

Adding IPv6 to an Nginx website on FreeBSD / FreshPorts

FreshPorts recently moved to an IPv6-capable server but until today, that capability has not been utilized. There were a number of things I had to configure, but this will not necessarily be an exhaustive list for you to follow. Some steps might be missing, and it might not apply to your situation. All of this took about 3 hours. We are using: FreeBSD 11.1 Bind 9.9.11 nginx 1.12.2 The server configuration This is

Adding IPv6 to an Nginx website on FreeBSD / FreshPorts Read More »

acme.sh: getting free SSL certificates – installation configuration on FreeBSD

This blog post describes my Let’s Encrypt solution which uses acme.sh and dns-01 challenges to obtain SSL certificates. If you are using HTTP challenges, this post might still be useful, but your configuration will differ slightly. Let’s Encrypt is a certificate authority which has become wildly popular since it was launched in April 2016 (just a short 14 months ago). Why so popular? It provides a secure way to offer free SSL certificates.

acme.sh: getting free SSL certificates – installation configuration on FreeBSD Read More »

Configuring my BIND/named DNS servers to operate from a hidden master via VPN for Let’s Encrypt

What is a hidden DNS master? If you need to ask that, this is not the blog post for you. This post assumes you already know how to configure DNS and just want ideas for your own hidden master. It also assumes the networking, VPN, and firewall are pre-configured for this. This blog post is mostly about named/BIND. For the record, I am using bind99-9.9.10P1. In my previous blog post, you’ll see how

Configuring my BIND/named DNS servers to operate from a hidden master via VPN for Let’s Encrypt Read More »

Creating a TXT only nsupdate connection for Let’s Encrypt

I’m in the process of designing my own centralized Let’s Encrypt solution. It was Peter Wemm’s blog post about Let’s Encrypt in the FreeBSD cluster which got me started down this road. My rough notes are this this gist. This blog post assumes you are already familiar with Let’s Encrypt and especially with the dns-01 challenge. This previous post might also be useful. In this post, I’ll show you have to generate a

Creating a TXT only nsupdate connection for Let’s Encrypt Read More »

OpenVPN and dynamic DNS

My laptop’s hostname is dent. I want my DNS records to point to that laptop whether I’m connected to my LAN directly (via WIFI or ethernet cable) or via OpenVPN (my VPN of choice). SIDE NOTE: You will see references to nsupdate -k below. Note that in recent versions of this program, the option you want has changed to nsupdate -y. You will find an example of the new format later in this

OpenVPN and dynamic DNS Read More »

Scroll to Top