How to update zone with dnssec-policy

Matthias Fechner idefix at fechner.net
Mon Jul 3 18:36:57 UTC 2023 

Am 02.07.2023 um 16:41 schrieb Matthew Seaman:
> Personally, I maintain zone files with DNSSEC signing on FreeBSD using 
> the dns/p5-DNS-nsdiff port, which is a perl module written by Tony 
> Finch -- someone well known on this list.
>
> You can keep your zone files in git or whatever code repository suits 
> you. nsdiff will compare what's live in your DNS zone against whats in 
> your updated zone file and generate a script for nsupdate(1) to make 
> the former match the latter.
>
> You'll need to configure appropriate levels of access for nsupdate(1). 
> That can be from pretty much any machine given you set up zone 
> policies and distribute keys appropriately. Although if you run nsdiff 
> directly on your primary DNS machine, you should be able to use the 
> built-in /var/run/named/session.key with a per-zone policy like:
>
> ```
>          update-policy {
>              grant local-ddns zonesub any;
>          };
> ```
>
> See the '-l' flag to nsupdate(1) 

thanks, that is very interesting information.
What I understood from the documentation:
*-s* /server/[#/port/]

I can maintain e.g. my zones from my local computer at home inside a git 
repository and use nsdiff and nspatch to push the changes to the server 
in the internet?

Does the server then has the source file (fechner.net) or does the 
server only work with raw and the .jnl file?

It I add a new zone, do I only need to configure it as master, define 
access to it and then upload the zone data via nspatch?

If that would all be possible, that technique can maybe also used to 
change letsencrypt verification to dns using the nsupdate command to get 
required information into the zone file.
That would definitely open a lot of new possibilities to put more 
automation the the full setup. ;)

Gruß
Matthias

-- 

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230703/066de060/attachment.htm>

More information about the bind-users mailing list