Batch updating all DNS records on my Bind server
Chuck Aurora
ca at nodns4.us
Mon Apr 20 17:23:22 UTC 2020
On 2020-04-20 10:33, Warren Kumari wrote:
> On Sat, Apr 18, 2020 at 12:52 PM Tony Finch <dot at dotat.at> wrote:
>>
>> @lbutlr <kremels at kreme.com> wrote:
>> >
>> > Is it possible to batch update all the domains? Looking at nsupdate it
>> > looks like I have to step through and do every domain individually.
>>
>> An UPDATE request can change many records, so long as they are all in
>> the
>> same zone, and so long as they fit in the 64KB limit of DNS message
>> size.
>> I find one request is usually enough for routine changes, but if you
>> are
>> doing a bulk update to a large zone, you will need to split the
>> changes
>> across mulitiple update requests.
>>
>> You might find nsdiff helpful, both to verify that your bulk changes
>> are
>> what you expect, and because it will split large updates into multiple
>> requests automatically. It's still one-zone-at-a-time, though. A
>> quick-and-dirty starting point might be roughly
>>
>> dig axfr $zone |
>> sed 's/oldprefix/newprefix/' |
>> nsdiff $zone /dev/stdin |
>> nsupdate -l
>>
>> https://dotat.at/prog/nsdiff/
>
> Another option may be:
> rndc sync
> rndc freeze
> rndc sync
> [sed and awk[0] ]
> rndc thaw
The problem with freeze and thaw is that you lose your history. I like
having history, and it won't hurt to have that in the future, when
dealing with the ISP's next capricious reassignment. "On 2020-04-23[1]
you moved us from x.x.x.x to y.y.y.y, and now again to z.z.z.z? We are
paying for a static IP address, what does 'static' mean?"
Another problem with that choice is that the zones are signed, and named
will have to re-sign the whole zone in one go. I think (not sure) that
with nsupdate the signing will happen one record at a time; or at least,
only the relevant A / TXT(SPF) records with the changed IP address will
need to be signed. Given that there are lots of zones being done in a
loop, there could be a very high load on the server and drain on its
pool of entropy.
So yeah, I'd go with Tony's plan here. But I suppose the bottom line
for this list is, "nsupdate can't do batches, you have to script it."
> W
> [0]: Now at this point I should have remembered that profound truism:
> “Some people, when confronted with a Unix problem, think ‘I know,
> I’ll use sed.’ Now they have two problems.” jwz - 12 Dec 1992
LOL, yes, I thought that quote was about regular expressions, but
either way it sure fits.
[1] Shakespeare's death, 404 years ago; birth, 456 years ago, that day.
What would the Bard do? "To sed, or not to sed, ..."
More information about the bind-users
mailing list