Dynamically updating zone subdomains


I'm running a bind9 (9.9.5) DNS-server (on Debian/jessie).
I have configured one zone to allow dynamic updates, and would like to add TXT records for specific hosts within that zone.

Here's a sample setup (named.conf)

zone "example.com" {
    type master;
    notify yes;
    allow-update { key secret-key; };
    file "/etc/bind/db.example.com";

And the accompanying db.example.com file:

$TTL 604800 ; 1 week
example.com     IN SOA  dns.example.com root.example.com. (
                1          ; serial
                10800      ; refresh (3 hours)
                3600       ; retry (1 hour)
                604800     ; expire (1 week)
                86400      ; minimum (1 day)
            NS  dns.example.org.
            NS  dns1.example.org.
            NS  dns2.example.org.
$ORIGIN example.com.
*           MX  10 mail.example.com.
mail        A
http        A

Using my secret-key, I can dynamically add a new record directly in that zone (e.g. create a TXT record for _acme-challenge.example.com).

However, what I really want to do is add subdomain records for hosts within the zone. E.g. in the zone example.com, there is an A record mail.example.com, and I would like to dynamically add a TXT record for _acme-challenge.mail.example.com.

Unfortunately, my nameserver doesn't like this and refuses to work with

secret-key: updating zone 'example.com/IN': update failed: not authoritative for update zone (NOTAUTH)

I can add that record manually into the db-file, and it works fine.

 _acme-challenge.mail TXT "secretstring"

However, i would like to automate this (given that this is part of deploying letsencrypt certificates via DNS-01 challenge), so manually setting the records is not an option.

Any ideas what is going wrong and how I can update my TXT-records automatically?

update: the script

the actual update is implemented with python-dnspython, and looks like:

update = dns.update.Update("mail.example.com", ...)
update.add("_acme-challenge", 500, "TXT", token)
response = dns.query.udp(update, name_server_ip)

Best Answer

It turns out that the problem was indeed the way the dnspython script would request the update of the zone.

Instead of requesting to add an entry _acme-challenge.mail to the example.com zone, it would instead (and wrongly) request an entry _acme-challenge to be added to the mail.example.com zone.

Since the nameserver had no mail.example.com. zone, it would refuse to handle the request.

The solution to the problem was to iteratively try adding to parent zones, until success (or the TLD has been reached):

  • try adding _acme-challenge to zone mail.example.com.
  • try adding _acme-challenge.mail to zone example.com.
  • try adding _acme-challenge.mail.example to zone com.
  • fail.