manual editing of dynamic zones files

Wed Jan 4 00:19:00 UTC 2006

Dan Foster wrote:

>In article <dog41h$h9m$1 at sf1.isc.org>, Roman Mashak <romez777 at gmail.com> wrote:
>  
>
>>I suppose there's some restriction prohibiting to manually edit
>>dynamic DNS zone files: since I tried to do that and after restart of
>>named there were no new entries in zone file, is it normal and
>>standard behavior? (it happened with bind-8.2.3REL).
>>    
>>
>
>Yes, there are restrictions. It relates to technical reasons involving
>dynamic DNS-related incremental transfers and journalling.
>
>Yes, the behavior you described is expected, because that's not the
>right way to do it before BIND 9.3.1.
>
>Starting with BIND 9.3.1, you can do it without stopping the nameserver by:
>
>	# rndc freeze <zone>
>	# vi <zone>
>	# rndc unfreeze <zone>
>
>With BIND 9.2.x:
>
>	# rndc stop
>	# rm <.jnl files>
>	# vi <zone>
>	# <start named>
>
Bear in mind, of course, that while the nameserver is "stop"ped or 
"fr[ozen]" any Dynamic Updates coming in will basically get dropped. So 
this could be *very* disruptive if you have automatic processes making 
those Dynamic Updates, unless all of those processes are capable of 
detecting the failure, queueing up their updates, and retrying them 
(hopefully in the same order, to prevent sequencing issues).

It might be a better approach to do *all* of your updates via Dynamic 
Update from now on, including the "manual" ones. Use "nsupdate" or some 
other command-line tool. One of the advantages of this, versus editing 
the zone files, is that you don't actually need to be on the master 
server to make an update. If you want to exploit this "remote" 
capability, though, you'll probably want to set up TSIG-authentication 
for the Dynamic Updates, unless you have sufficient security at the 
lower network levels (e.g. IPSEC or something like that).

                                                               - Kevin