DNS over TLS with LetsEncrypt
5 days ago
- #DNS over TLS
- #Certificate Renewal
- #LetsEncrypt
- LetsEncrypt announced issuing certificates for IP addresses, initially available on their Staging environment.
- ACME clients like certbot and lego are used to request certificates, with lego supporting IP address certificates via http-01 or tls-alpn-01 methods.
- Example lego command for staging environment includes hostnames and IP addresses, using the shortlived profile.
- Bind9 setup for DNS over TLS involves configuring TLS certificates and enabling listeners on port 853.
- Shortlived certificates require frequent renewal (every 7 days), automated using lego with a renew-hook script.
- Systemd timers are used to schedule certificate renewals, with randomized delays to distribute load.
- Testing DNS over TLS can be done using dig with +tls or +tls-ca options.