Letsencrypt ACME using BIND DNSSEC Cerbot

8/31/2020 – Work in progress. Should be done by 9/3/2020

These instructions are for FreeBSD, but the only difference for Linux is how you install the needed packages for CertBot.

These instructions assume you already have a functioning BIND DNS server and understand what you are doing.

Generate a key:

ddns-keygen -z example.com

Take the output of ddns-keygen and add it to named.conf

key “” {
algorithm hmac-md5;

Anamed.conf and add the above key and allow Certbot to change your specific TXT values.

zone “example.com” in {
type master;
file “/usr/local/etc/namedb/master/example.com.zone”;
update-policy {
grant letsencrypt name _acme-challenge.example.com. txt;
grant letsencrypt name _acme-challenge.www.example.com. txt;
grant letsencrypt name _acme-challenge.mail.example.com. txt;

Restart/reload named via service named restart or rndc reload.

Install Certbot and dnsrfc2136 module:

pkg install py37-certbot-dns-rfc2136-1.5.0

Create a config file. I chose: /root/rfc2136.ini

With these values:

dns_rfc2136_server =

dns_rfc2136_name = letsencrypt

dns_rfc2136_secret = N2/yD9J9N166TnZvU975SQ==

dns_rfc2136_algorithm = HMAC-MD5

Now generate your certificate:

certbot certonly –dns-rfc2136 –dns-rfc2136-credentials /root/rfc2136.ini -d www.example.com