Feature #7340
closed
Acme Client nsupdate interface forces a different key-ID for every domain
100%
Description
It would be much more convenient for a large number of domains to assign a DNSSEC update-key to the firewall and allow it to make updates to all of the relevant host entries in the domain. As it is, a new key must be entered into BIND for every host record being updated. This also significantly complicates the configuration if you use views on your DNS server.
It could be resolved by either allowing a paste of the entire key or adding a field to (optionally) set the key-id instead of generating it as matching the domain being validated.
Updated by Pi Ba over 7 years ago
Seems to me if you can set 1 update key in bind you can reuse that key in acme package for each domain?
p.s. ive never used bind/nsupdate so forgive me if i talk nonsense :)
Updated by Jim Pingle over 7 years ago
- Assignee set to Jim Pingle
The way the code works now the key name/id is the domain name. While you could copy the key to a bunch of names on the BIND server it could be done better/easier.
Also it's tough to use zone keys the way it is now. I plan on adding this field when I have some time, just not sure when that might be.
Updated by Jim Pingle almost 7 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
In ACME package version 0.1.32 there is a separate Key name field which can be used to override the default key name if desired.