Fun with nsudpate and ac1.nstld.com

[@lbutlr]

On 06 Jul 2020, at 17:59, Mark Andrews <marka at isc.org> wrote:
> Nsupdate can normally determine the name of the zone that has to be updated so most of the time you don’t need to specify the zone.  There are a few cases, like when adding delegating NS records or glue to the parent zone you have to override the normal zone discovery procedure.

So if I were to try adding web2.example.com via nsupdate I could simply 

> update add web2.example.com 96400 IN CNAME www.covisp.net
> send

That's good to know, but I fear I will remember that and use it in cases where I do need to specify it and muck things up.

I change DNS settings so infrequently that each time it is almost like starting over, especially since the underlying software has changed as well. Also, I need better notes, which I am taking this time. (Most of the serials on the DNS files are more than two years old)

The latest surprise was that dnssec-enable yes; is obsolete in Bind 9.16. I've noticed no fallout from simply uncommenting it, so I assume it is either required now or implied with dnssec-validation set or auto-dnssec in the zone config.

I do have motivation to get all this nsupdate stuff square, however, as I want to move Letsencrypt to wildcard certs and that requires updating the DNS during the LE exchange.



-- 
Vi Veri Veniversum Vivus Vici