Bind forgets my changes with nsupdate

Björn Persson Bjorn at xn--rombobjrn-67a.se
Sat Oct 7 16:41:27 UTC 2023 

Paul van der Vlis via bind-users wrote:
> But how could I refresh the key without loosing the IP?

I was in a similar situation. I managed my zone files mostly manually,
but a few records needed to be updated automatically. Either manual
changes would obliterate automatically updated records, as you found,
or else automatic updates would cause Bind to rearrange the zone files
and lose all comments, making manual editing much harder.

I have arrived at what I think is a working solution. I'm still
monitoring to see how it works. I now make all changes through dynamic
updates (like with nsupdate), using different TSIG keys with different
privileges in update-policy. Signing and key rotation are handled
automatically by Bind, using dnssec-policy.

I use nsdiff (https://dotat.at/prog/nsdiff/) and nsupdate to apply
manual changes. That way I still have hand-written zone files with
comments, so I can keep an overview, but Bind never sees them. The zone
files that Bind uses are managed by Bind and don't need to be easy to
read. I have a wrapper script that calls nsdiff to compare each hand-
written zone file to the corresponding zone on the server, specifying a
pattern with -i to tell nsdiff which records are managed in other ways.
The wrapper then displays the changes, asks for approval, and then
applies the changes through nsupdate.

My TSIG key for manual changes, which has much greater privileges than
the keys for specific automatic updates, is stored in an encrypted
keyring managed with Pass (https://www.passwordstore.org/). My wrapper
requests the key from Pass – which requires me to type the master
passphrase – and passes it to nsdiff and to nsupdate using pipes so
that the decrypted key is never written to even a temporary file.

I found that inline-signing breaks nsdiff. I recommend an explicit
"inline-signing no;" in each zone to prevent problems. Bind will then
not keep an unsigned version of the zone, and it doesn't need to when
all changes are made through dynamic updates.

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signatur
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231007/24ca4f63/attachment.sig>

More information about the bind-users mailing list