2 files changed, 9 insertions, 2 deletions

diff --git a/hosts/surtr/dns/zones/org.rheperire.soa b/hosts/surtr/dns/zones/org.rheperire.soa
index 8d6528ca..b36b7b6d 100644
--- a/hosts/surtr/dns/zones/org.rheperire.soa
+++ b/hosts/surtr/dns/zones/org.rheperire.soa
@@ -1,7 +1,7 @@
 $ORIGIN rheperire.org.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
-  2021053006 ; serial
+  2021053007 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -21,3 +21,8 @@ $TTL 3600
 *                       IN      AAAA    2a03:4000:6:d004::
 *                       IN      MX      0 ymir.yggdrasil.li.
 *                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+_acme-challenge         IN      A       188.68.51.254
+_acme-challenge         IN      AAAA    2a03:4000:6:d004::
+_acme-challenge         IN      MX      0 ymir.yggdrasil.li.
+_acme-challenge      60 IN      TXT     "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
index cc868f45..9cd6bd0c 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls.nix
@@ -4,6 +4,8 @@ let
   
   knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''
     EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
+    EXEC_PROPAGATION_TIMEOUT=600
+    EXEC_POLLING_INTERVAL=10
   '';
   knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
     #!${pkgs.zsh}/bin/zsh -xe
@@ -49,7 +51,7 @@ in {
           extraDomainNames = [ "*.rheperire.org" ];
           dnsProvider = "exec";
           credentialsFile = knotDNSCredentials "rheperire.org";
-          dnsPropagationCheck = false;
+          dnsResolver = "1.1.1.1:53";
         };
       };
     };