nsupdate and zone files, was Re: Using RNDC to control remote access to my BIND server

[Tony Finch]

Paul Kosinski via bind-users <bind-users at lists.isc.org> wrote:

> A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP)
> IP address for my very simple domain. It worked, except that it totally
> messed up the organization of the zone file. Since the file only has 44
> active lines (which are organized logically), I maintain it by hand.
> After nsupdate made the one line change, the zone file became
> unmaintainable.
>
> Was this a bug in nsupdate, or does nobody try to understand their zone
> files.

When you have a zone that accepts dynamic updates, then its zone file is
owned by `named`, and `named` will rewrite the file to incorporate
updates, which (as you saw) also strips out comments and canonicalized the
formatting. This is often surprising and upsetting to people who are new
to dynamic updates - you are not alone!

Basically, if you are doing dynamic updates, then the source of truth for
your zone needs to be somewhere else, not the zone file used by `named`.
(For example, at my work our zones are stored in a database and edited
with a web front end.)

I have some scripts which allow you to maintain your zone file however you
want, and push any differences into `named` using `nsupdate`, so you never
need to touch the zone files that it owns. https://dotat.at/prog/nsdiff/

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Lyme Regis to Lands End including the Isles of Scilly: Easterly or
northeasterly 5 to 7, occasionally 4 in east. Moderate or rough. Fair.
Good.