How to update zone with dnssec-policy

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Jul 4 07:16:46 UTC 2023 

On 03/07/2023 19:36, Matthias Fechner wrote:
> What I understood from the documentation:
> *-s* /server/[#/port/]
> 
> I can maintain e.g. my zones from my local computer at home inside a git 
> repository and use nsdiff and nspatch to push the changes to the server 
> in the internet?

Correct.

> Does the server then has the source file (fechner.net) or does the 
> server only work with raw and the .jnl file?

By default, the primary server will end up with a `fetchner.net` zone 
data file in text format which contains the pretty much the same RRs as 
your master copy in git, but reformatted into a standard style, sorted 
into order and with comments stripped[*].  Plus added DNSKEY, CDS, 
CDNSKEY, RRSIG records from dnssec signing.

There will be a .jnl file for each zone with the latest updates to the 
zone -- in principle you can use rndc(8) to flush changes from the 
journal into the main zone file, but this isn't necessary if you're 
using nsupdate based methods exclusively to maintain the zone data.

[*] Unless you have configured `masterfile-format raw` in which case 
your zone files will be in binary format.

> It I add a new zone, do I only need to configure it as master, define 
> access to it and then upload the zone data via nspatch?

That should work, I think.  Can't say for sure as I don't tend to add 
new zones much.  You might need to start with a minimal zone file 
containing just SOA and NS records.

> If that would all be possible, that technique can maybe also used to 
> change letsencrypt verification to dns using the nsupdate command to get 
> required information into the zone file.

Yes, I can confirm this works brilliantly with the dns-rfc2136 plugin.

> That would definitely open a lot of new possibilities to put more 
> automation the the full setup. ;)

I've found it works very well to exempt TLSA and SSHFP records from 
nsdiff management (ie. nsdiff -i 'TLSA|SSHFP' ...) and then use Ansible 
to generate the appropriate resource records from corresponding keys on 
each host and add them into the zone data using the 
community.general.nsupdate module.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman
1 Newland St, Eynsham, Witney, OXON, 0X29 4LB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230704/428b09de/attachment-0001.sig>

More information about the bind-users mailing list