Feature #7340

Acme Client nsupdate interface forces a different key-ID for every domain

Added by Sam Bingner almost 3 years ago. Updated about 2 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


It would be much more convenient for a large number of domains to assign a DNSSEC update-key to the firewall and allow it to make updates to all of the relevant host entries in the domain. As it is, a new key must be entered into BIND for every host record being updated. This also significantly complicates the configuration if you use views on your DNS server.

It could be resolved by either allowing a paste of the entire key or adding a field to (optionally) set the key-id instead of generating it as matching the domain being validated.


#1 Updated by Pi Ba almost 3 years ago

Seems to me if you can set 1 update key in bind you can reuse that key in acme package for each domain?
p.s. ive never used bind/nsupdate so forgive me if i talk nonsense :)

#2 Updated by Jim Pingle almost 3 years ago

  • Assignee set to Jim Pingle

The way the code works now the key name/id is the domain name. While you could copy the key to a bunch of names on the BIND server it could be done better/easier.

Also it's tough to use zone keys the way it is now. I plan on adding this field when I have some time, just not sure when that might be.

#3 Updated by Jim Pingle about 2 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

In ACME package version 0.1.32 there is a separate Key name field which can be used to override the default key name if desired.

Also available in: Atom PDF