The local BIND server on your own machine needs several things. First run the program tsig-keygen, and capture its output. The “keyname” can be of your own chosing, but even the word “keyname” is OK. It will have to be used consistently below.
tsig-keygen keyname > keyfile.key
We are going to put the contents of the keyfile.key into the bind configuration shortly, and also use it for another purpose, so don't discard it.
The next step is going to take a while unless you are familiar with BIND. You must configure BIND with two separate “views”.
First, near the top of the “named.conf” file, right after the “options” section, place the contents of the “keyfile.key” you generated above. See Listing 2.
It's a little tricky -- the semicolons are all needed !
Add the internal view first, then configure the external view. You will need both of the “match-clients” sections, and you will need the acmesh.example.com zone in the external view. The “allow-update” clause is what enables us to programatically update the parameters of that zone (which is the one which receives the challenge). See Listing 3.
The file “acmesh.example.com.db” contains (Listing 4.):
Now we should start BIND and test things:
Use the command in Listing 5.
to test the external view of your server. The key in the keyfile.key is what lets dig “see” the external view, rather than the internal view.