injecting records into transfered zone (hidden primary/inline DNSSEC)

Tony Finch dot at
Thu Oct 16 10:52:59 UTC 2014

Thomas Goldberg <t.goldberg77 at> wrote:

> Essentially we're looking for a way to inject DS records into a slave
> zone (transfered from another DNS server).

One way to do this is with my nsdiff script which was written to do a
similar job to inline-signing mode for older versions of BIND.

To set it up, you configure your BIND server as a master (instead of as a
slave) with dynamic updates and automatic signing turned on. You run
nsdiff in "bump-in-the-wire" mode which takes a zone transfer from a
hidden master (e.g. your windows server) and injects the changes into the
signer (BIND) using nsupdate.

To take control of DS records, use an option to make nsdiff ignore them:

	nsdiff -i '^\S+\s+\d+\s+IN\s+DS\s+'

Then you can use nsupdate to inject the DS records into BIND. Then when
you run nsdiff it will propagate non-DNSSEC changes from Windows to BIND,
but it will leave the DS records alone.

f.anthony.n.finch  <dot at>
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.

More information about the bind-users mailing list