Batch updating all DNS records on my Bind server

Chuck Aurora ca at nodns4.us
Mon Apr 20 17:23:22 UTC 2020 

On 2020-04-20 10:33, Warren Kumari wrote:
> On Sat, Apr 18, 2020 at 12:52 PM Tony Finch <dot at dotat.at> wrote:
>> 
>> @lbutlr <kremels at kreme.com> wrote:
>> >
>> > Is it possible to batch update all the domains? Looking at nsupdate it
>> > looks like I have to step through and do every domain individually.
>> 
>> An UPDATE request can change many records, so long as they are all in 
>> the
>> same zone, and so long as they fit in the 64KB limit of DNS message 
>> size.
>> I find one request is usually enough for routine changes, but if you 
>> are
>> doing a bulk update to a large zone, you will need to split the 
>> changes
>> across mulitiple update requests.
>> 
>> You might find nsdiff helpful, both to verify that your bulk changes 
>> are
>> what you expect, and because it will split large updates into multiple
>> requests automatically. It's still one-zone-at-a-time, though. A
>> quick-and-dirty starting point might be roughly
>> 
>>         dig axfr $zone |
>>         sed 's/oldprefix/newprefix/' |
>>         nsdiff $zone /dev/stdin |
>>         nsupdate -l
>> 
>> https://dotat.at/prog/nsdiff/
> 
> Another option may be:
> rndc sync
> rndc freeze
> rndc sync
> [sed and awk[0] ]
> rndc thaw

The problem with freeze and thaw is that you lose your history.  I like
having history, and it won't hurt to have that in the future, when
dealing with the ISP's next capricious reassignment.  "On 2020-04-23[1]
you moved us from x.x.x.x to y.y.y.y, and now again to z.z.z.z?  We are
paying for a static IP address, what does 'static' mean?"

Another problem with that choice is that the zones are signed, and named
will have to re-sign the whole zone in one go.  I think (not sure) that
with nsupdate the signing will happen one record at a time; or at least,
only the relevant A / TXT(SPF) records with the changed IP address will
need to be signed.  Given that there are lots of zones being done in a
loop, there could be a very high load on the server and drain on its
pool of entropy.

So yeah, I'd go with Tony's plan here.  But I suppose the bottom line
for this list is, "nsupdate can't do batches, you have to script it."

> W
> [0]: Now at this point I should have remembered that profound truism:
> “Some people, when confronted with a Unix problem, think ‘I know,
> I’ll use sed.’ Now they have two problems.” jwz - 12 Dec 1992

LOL, yes, I thought that quote was about regular expressions, but
either way it sure fits.


[1] Shakespeare's death, 404 years ago; birth, 456 years ago, that day.
     What would the Bard do?  "To sed, or not to sed, ..."

More information about the bind-users mailing list