On 08/07/2019 14:31, Dominik Menke wrote:
Just for clarification, in your example.com zone, you have an NS
record pointing to your "challenge DNS server", i.e.
_acme-challenge IN NS nsacme.example.org.
right? What about subdomains of example.com? Won't they need an NS
record as well?
_acme-challenge.db IN NS nsacme.example.org.
_acme-challenge.git IN NS nsacme.example.org.
; etc.
That's correct: a separate NS record for each domain you want a
certificate for. This is static, so you just add it manually the first
time you want a certificate.
The top-level one should also allow you to get a wildcard certificate
<https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579>,
but I've not tried that yet.
Note that if you have split DNS, e.g. where "int.example.org" is an
internal domain on hidden private DNS servers, then on the outside you
can just have a single NS record:
int IN NS nsacme.example.org.
Regards,
Brian.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
