Allow only temporary zone updates without making them permanent

Wed Jun 26 17:25:24 UTC 2019

Lefteris Tsintjelis via bind-users <bind-users at lists.isc.org> wrote:
> On 26/6/2019 17:39, Grant Taylor via bind-users wrote:
> > Or are you wanting to update the zone contents without actually updating
> > the zone file on disk?
>
> Yes, exactly this. That is the reason I changed the actual zone disk
> file permissions to root thinking that files would not be modifiable,
> but bind surprised me there. I did not expect to change the file
> ownership from root to bind! The problem started with ACME actually as
> it always messes up my disk zone files and have to always restore them.
> I would still like to use something like that in small DDNS zones also,
> serving just a few IPs only. Non disk writable/modifiable zones could
> perhaps add a small layer of extra security as well.

If you have a dynamic zone then it's best to work as if the zone file
belongs to `named`. I configure `masterfile-format raw;` which removes the
temptation to look at the files directly. Instead I use `dig axfr` or
`named-compilezone -j`.

In most cases I keep the original source of the zone data elsewhere, e.g.
a file stored in version control or a database, and I sync up the working
copy of the zone with it source file using https://dotat.at/prog/nsdiff/
This also means I don't have to care about serial numbers or DNSSEC
records because `named` takes care of those.

(I have a few less complicated zones where I don't have a separate source
file and instead use `nsvi` to edit the working copy.)

You should have secondary servers for your zone, in which case
ACME-related updates will be copied to the secondary and stored on disk
there, so suppressing writes on the primary won't make any useful
difference to how temporary the records are.

There are other ways to keep temporary dynamic records separate from your
fixed data, e.g. you can delegate _acme-challenge.<host> to a separate
dynamic zone, or to reduce the proliferation of zones, make
_acme-challenge.<hosts> CNAMEs to consolidate them into one separate
dynamic zone.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Irish Sea: Variable mainly northeasterly 4 or 5, occasionally 6 in south and 3
in north. Slight or moderate in south, smooth or slight in north. Fair. Good.