How to update zone with dnssec-policy

Matthew Seaman m.seaman at infracaninophile.co.uk
Sun Jul 2 13:41:38 UTC 2023 

On 02/07/2023 12:27, Matthias Fechner wrote:
> I have the following problem that changes in a zone file do not get 
> active, no matter if I reload the zone using rndc or restarting bind 
> 9.16.42 on FreeBSD.
> If I update a zone I edit the zone file, adapt the serial in the SOA and 
> normally do a rndc reload fechner.net.
> 
> The nameserver is more or less setup like it is described here:
> https://wiki.idefix.fechner.net/freebsd/bind/
> 
> The zonefile for domain fechner.net are in directory: 
> /usr/local/etc/namedb/master/fechner.net
> 
> It is not a dynamic zone file or better I cannot freeze it:
>   rndc freeze fechner.net
> rndc: 'freeze' failed: not dynamic
> 
> But if I delete the files:
> fechner.net.jbk
> fechner.net.signed.jnl
> 
> and restart bind, zone changes are correctly loaded and I can see an 
> increased serial in:
> dig -t soa fechner.net.
> 
> Would be nice if someone can explain me, how I need to edit a zone file, 
> that has a dnssec-policy attached that modification get active, without 
> the need to delete the `*.[jbk|jnl] files.
> 

Personally, I maintain zone files with DNSSEC signing on FreeBSD using 
the dns/p5-DNS-nsdiff port, which is a perl module written by Tony Finch 
-- someone well known on this list.

You can keep your zone files in git or whatever code repository suits 
you. nsdiff will compare what's live in your DNS zone against whats in 
your updated zone file and generate a script for nsupdate(1) to make the 
former match the latter.

You'll need to configure appropriate levels of access for nsupdate(1). 
That can be from pretty much any machine given you set up zone policies 
and distribute keys appropriately. Although if you run nsdiff directly 
on your primary DNS machine, you should be able to use the built-in 
/var/run/named/session.key with a per-zone policy like:

```
          update-policy {
              grant local-ddns zonesub any;
          };
```

See the '-l' flag to nsupdate(1)

	Cheers,

	Matthew




-- 
Dr Matthew J Seaman
1 Newland St, Eynsham, Witney, OXON, 0X29 4LB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230702/4d2df50a/attachment.sig>

More information about the bind-users mailing list