How to update zone with dnssec-policy
Matthias Fechner
idefix at fechner.net
Wed Jul 5 10:13:09 UTC 2023
Am 04.07.2023 um 10:16 schrieb Matthew Seaman:
>
> By default, the primary server will end up with a `fetchner.net` zone
> data file in text format which contains the pretty much the same RRs
> as your master copy in git, but reformatted into a standard style,
> sorted into order and with comments stripped[*]. Plus added DNSKEY,
> CDS, CDNSKEY, RRSIG records from dnssec signing.
>
> There will be a .jnl file for each zone with the latest updates to the
> zone -- in principle you can use rndc(8) to flush changes from the
> journal into the main zone file, but this isn't necessary if you're
> using nsupdate based methods exclusively to maintain the zone data.
>
> [*] Unless you have configured `masterfile-format raw` in which case
> your zone files will be in binary format.
I started now to setup everything.
To give it a try, I created a key and configured the zone to allow updates.
I documented that already for myself, maybe that is also helpful for
someone else:
https://wiki.idefix.fechner.net/freebsd/bind/#manage-your-zones-with-git-and-nsdiff--nsupdate-wip
as the link can maybe change, here a more generic one:
https://wiki.idefix.fechner.net/freebsd/bind
So far, nsdiff generates expected output, next step is now to apply the
changes in an automated way.
Gruß
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
More information about the bind-users
mailing list