[GH-ISSUE #376] Feature-Request: DNS-Zone-transfer to other DNS-Servers #211

New issue

Open

opened 2026-03-13 16:10:03 +03:00 by kerem · 1 comment

kerem commented

2026-03-13 16:10:03 +03:00

Owner

Originally created by @stemenn on GitHub (Mar 5, 2025).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/376

I'm running two authoritative DNS-Server (Primary and Secondary) for some domains, for which I want to get Certificates through this project. Therefore I am running acme-dns in a docker container and I just forward the queries, because I don't have another public IP. And to be honest, I don't want to get one just for the certificates. It would be nice, if acme-dns clould be set as master and just notify the other authoritative DNS-Servers for that zone.

Originally created by @stemenn on GitHub (Mar 5, 2025). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/376 I'm running two authoritative DNS-Server (Primary and Secondary) for some domains, for which I want to get Certificates through this project. Therefore I am running acme-dns in a docker container and I just forward the queries, because I don't have another public IP. And to be honest, I don't want to get one just for the certificates. It would be nice, if acme-dns clould be set as master and just notify the other authoritative DNS-Servers for that zone.

kerem commented

2026-03-13 16:10:09 +03:00

Author

Owner

@TRPB commented on GitHub (Mar 3, 2026):

Here's a fun thing I discovered with this exact problem: Let's Encrypt can work with just an IPv6 for the dns server.

Let's say your server has these IPs:

1.2.3.4 A ns1.example.org
1:2:3:4::1 AAAA ns1.example.org

You are going to be running your authoritative (ie. not acme-dns) DNS server on port 53 on both IPs.

However, if you can add a second IPv6 (which in a lot of cases is free) you can add a second IPv6 1:2:3:4::2 and run acme-dns on that interface only, it works fine.

DNS config:

auth.example.org NS auth.example.org.
auth.example.org AAAA 1:2:3:4::2

Note the lack of an A record at all here.

acme-dns config:

listen = "[1:2:3:4::2]:53"

Now when Let's Encrypt connects to acme-dns, it is on the secondary IPv6 address and it all just works. This is the first time in 25 years I've ever found a genuine benefit of IPv6.

@TRPB commented on GitHub (Mar 3, 2026): Here's a fun thing I discovered with this exact problem: Let's Encrypt can work with just an IPv6 for the dns server. Let's say your server has these IPs: - `1.2.3.4` A ns1.example.org - `1:2:3:4::1` AAAA ns1.example.org You are going to be running your authoritative (ie. not acme-dns) DNS server on port 53 on both IPs. However, if you can add a second IPv6 (which in a lot of cases is free) you can add a second IPv6 `1:2:3:4::2` and run acme-dns on that interface only, it works fine. DNS config: ``` auth.example.org NS auth.example.org. auth.example.org AAAA 1:2:3:4::2 ``` Note the lack of an A record at all here. acme-dns config: ``` listen = "[1:2:3:4::2]:53" ``` Now when Let's Encrypt connects to acme-dns, it is on the secondary IPv6 address and it all just works. This is the first time in 25 years I've ever found a genuine benefit of IPv6.