Bind forgets my changes with nsupdate
Michael Richardson
mcr at sandelman.ca
Fri Oct 6 19:37:16 UTC 2023
In general, you don't want to mix dynamic update zones with ones that you
want to edit by hand. I see that you are doing manual DNSSEC signing in your
cron job.
Your choices are:
a) do everything with dynamic update, and turn on automatic DNSSEC management
in bind9.
b) do your DNSSEC signing inline.
I blogged poorly about my setup:
https://www.sandelman.ca/mcr/blog/sysadmin/bind9-dnssec-formula/
c) a mix of the above.
My solution is not to mix dynamic update with other access.
Instead, I put in CNAMEs in the signed zone to a sub-zone (or other zone)
where I do exclusive dynamic update. This isn't perfect, but it works
well enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my
certificates.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231006/f1782b00/attachment.sig>
More information about the bind-users
mailing list