ip.addr.tools - construct domain names that resolve to any given IP address
192-0-2-1.ip.addr.tools resolves to 192.0.2.1
anything.203.0.113.1.ip.addr.tools resolves to 203.0.113.1
2001-db8--1.ip.addr.tools resolves to 2001:db8::1
this.too.2001-db8--1.ip.addr.tools resolves to 2001:db8::1
http[s]://self.ip.addr.tools redirects, resolves to your public IP
$ nsupdate -v > update add _acme-challenge.192-168-1-1.ip.addr.tools 180 TXT challengeText > send
$ dig _acme-challenge.192-168-1-1.ip.addr.tools txt +short "challengeText"
For any IPv4 address a.b.c.d, the names and all subdomains of a-b-c-d.ip.addr.tools and a.b.c.d.ip.addr.tools will resolve to that IPv4 address.
Similarly for any IPv6 address, the name and all subdomains of the name produced by replacing every colon with a hyphen in that address, and appending ".ip.addr.tools", will resolve to that IPv6 address.
self.ip.addr.tools and self6.ip.addr.tools are helper HTTP(S) services that redirect to the domain names which resolve to your public IPv4 and IPv6 addresses, respectively.
It is possible to obtain TLS certificates for these domain names from certificate authorities supporting the ACME protocol, such as Let's Encrypt.
RFC 2136 dynamic updates can be used to complete a dns-01 challenge. These updates are limited to adding and deleting TXT records to "_acme-challenge" subdomains. Anyone can make such updates to names which resolve to private IP addresses. In order to make an update to a name which resolves to a public IP address, the request must use TCP and come from the IP address corresponding to the name being updated. In other words, you can't make updates to domain names which resolve to public IP addresses other than your own.
When making an update to the name which resolves to your public IPv4 address, make sure the request is made over IPv4. The same goes for IPv6. The nsupdate utility provides "-4" and "-6" options to force IPv4 or IPv6, and "-v" to force TCP.
TXT records added via RFC 2136 updates are automatically removed after a few minutes.
TSIG is not required. However, if your RFC 2136 client requires TSIG, use the algorithm, key name and secret provided below.
|TSIG key algorithm:||HMAC-SHA1|
|TSIG key name:||ip.addr.tools.|
Certificates have been successfully issued using Certbot with the certbot-dns-rfc2136 plugin.