How to update zone with dnssec-policy
Matthew Seaman
m.seaman at infracaninophile.co.uk
Tue Jul 4 07:16:46 UTC 2023
On 03/07/2023 19:36, Matthias Fechner wrote:
> What I understood from the documentation:
> *-s* /server/[#/port/]
>
> I can maintain e.g. my zones from my local computer at home inside a git
> repository and use nsdiff and nspatch to push the changes to the server
> in the internet?
Correct.
> Does the server then has the source file (fechner.net) or does the
> server only work with raw and the .jnl file?
By default, the primary server will end up with a `fetchner.net` zone
data file in text format which contains the pretty much the same RRs as
your master copy in git, but reformatted into a standard style, sorted
into order and with comments stripped[*]. Plus added DNSKEY, CDS,
CDNSKEY, RRSIG records from dnssec signing.
There will be a .jnl file for each zone with the latest updates to the
zone -- in principle you can use rndc(8) to flush changes from the
journal into the main zone file, but this isn't necessary if you're
using nsupdate based methods exclusively to maintain the zone data.
[*] Unless you have configured `masterfile-format raw` in which case
your zone files will be in binary format.
> It I add a new zone, do I only need to configure it as master, define
> access to it and then upload the zone data via nspatch?
That should work, I think. Can't say for sure as I don't tend to add
new zones much. You might need to start with a minimal zone file
containing just SOA and NS records.
> If that would all be possible, that technique can maybe also used to
> change letsencrypt verification to dns using the nsupdate command to get
> required information into the zone file.
Yes, I can confirm this works brilliantly with the dns-rfc2136 plugin.
> That would definitely open a lot of new possibilities to put more
> automation the the full setup. ;)
I've found it works very well to exempt TLSA and SSHFP records from
nsdiff management (ie. nsdiff -i 'TLSA|SSHFP' ...) and then use Ansible
to generate the appropriate resource records from corresponding keys on
each host and add them into the zone data using the
community.general.nsupdate module.
Cheers,
Matthew
--
Dr Matthew J Seaman
1 Newland St, Eynsham, Witney, OXON, 0X29 4LB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230704/428b09de/attachment-0001.sig>
More information about the bind-users
mailing list