[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: guix.gnu.org sub-domain
From: |
Julien Lepiller |
Subject: |
Re: guix.gnu.org sub-domain |
Date: |
Tue, 09 Apr 2019 10:32:13 +0200 |
User-agent: |
K-9 Mail for Android |
Le 9 avril 2019 03:48:02 GMT+02:00, Chris Marusich <address@hidden> a écrit :
>Hi Julien,
>
>Thank you for working on this!
>
>Julien Lepiller <address@hidden> writes:
>
>> I'm still unsure about how to update the certificates with the dns
>> challenge. I found a script that could help us with updating the zone
>> served by knot when it's configured as a master.
>>
>> We could use that to update the required txt record, but we also need
>> to make sure the change is propagated to the other server, because we
>> don't know which server will be asked to answer the challenge.
>>
>> With a further delegation of the record for the dns challenge we can
>> have two masters, but I'm still stuck at finding a way to communicate
>> the challenge between the two servers.
>>
>> Ideas?
>
>Can we update the DNS dynamically [1]? Can you share the script?
>
>I still don't know as much about Knot as I should, but I'm surprised
>that a change to the primary server's database would not be propagated
>to the secondary server's database automatically. Can you elaborate on
>what goes wrong, or maybe explain (even at a high level) how I can try
>reproducing the problem with cert renewal locally?
>
>Footnotes:
>[1] https://tools.ietf.org/html/rfc2136
What I found consists in using knotc to update the zone served by knot with
knotc, but it only update it locally (and to slaves). So we have no issue with
that method when we want to automate certs from the primary, but I don't know
how to propagate the change back to the master when we ask for certs on the
secondary.
I'll have a look at the rfc.