The glashack.space domain is managed by gandi.net. The lab.glashack.space subdomain is delegated to a BIND 9 server which we host in the space (currently on the router).

This allows us to more easily configure keys to update DNS records (e.g. for automatic DNS entries from DHCP, or for LetsEncrypt certs with the DNS challenge). It has the added benefit of keeping all this chaos limited to a subdomain without any risk of disturbing the main glashack.space records.

DNS config is stored under /var/named/etc/named.conf. Changes to this file require the named service to be restarted with rcctl restart named.

TODO

As this DNS server is publicly accessible and handles records for lab.glashack.space it is possible to use it for DNS challenges to get valid LetsEncrypt certs for services which we don't want to expose directly to the internet.

This requires the generation of keys on the DNS server which the ACME clients use to create the required records.

router# cd /var/named/etc
router# tsig-keygen -a HMAC-SHA512 my-new-key
key "my-new-key" {
        algorithm hmac-sha512;
        secret "<secret key>";
};
router# vim named.conf # add key to DNS config with permission to update lab.glashack.space zone.

These permissions should ideally be restricted to only _acme-challenge. as shown in: https://certbot-dns-rfc2136.readthedocs.io/en/stable/