ip.addr.tools - construct domain names that resolve to any given IP address
192-0-2-1.ip.addr.tools resolves to 192.0.2.1
anything.at.all.203.0.113.1.ip.addr.tools resolves to 203.0.113.1
2001-db8--1.ip.addr.tools resolves to 2001:db8::1
this.too.2001-db8--1.ip.addr.tools resolves to 2001:db8::1
http[s]://self.ip.addr.tools redirects, resolves to your external IP
$ nsupdate -v › update add _acme-challenge.192-168-1-1.ip.addr.tools 180 TXT challengeText › send
For any IPv4 address a.b.c.d, the names (and all subdomains of) "a-b-c-d.ip.addr.tools" and "a.b.c.d.ip.addr.tools" will resolve to that IPv4 address.
Similarly for any IPv6 address, the name (and all subdomains of the name) produced by replacing every colon with a hyphen in that address, and appending ".ip.addr.tools", will resolve to that IPv6 address.
"self.ip.addr.tools" and "self6.ip.addr.tools" are helper HTTP(S) services that redirect to the domain names which resolve to your external IPv4 and IPv6 addresses respectively.
It is possible to obtain TLS certificates for these domain names from certificate authorities supporting the ACME protocol, such as Let's Encrypt.
RFC 2136 dynamic updates can be used to complete a dns-01 challenge. These updates are limited to adding and deleting TXT records to "_acme-challenge" subdomains. Anyone can make such updates to names which resolve to private IP addresses. In order to make such an update to a name which resolves to a public IP address (like your external IP address), the update request must use TCP and must come from the IP address corresponding to the name being updated. In other words, you can't make updates to domain names which resolve to public IP addresses other than yours.
When making an update to the name which resolves to your public IPv4 address, make sure the request is made over IPv4. The same goes for IPv6. The nsupdate utility provides "-4" and "-6" options to force IPv4 or IPv6, and "-v" to force TCP.
TXT records added via RFC 2136 updates are automatically removed after a few minutes.
TSIG is not required. However, if your RFC 2136 client requires TSIG, use the algorithm, key name and secret provided below.
|TSIG key algorithm:||HMAC-SHA1|
|TSIG key name:||ip.addr.tools.|
Certificates have been successfully issued using certbot with the certbot-dns-rfc2136 plugin, as well as in pfSense using the ACME package.