injecting records into transfered zone (hidden primary/inline DNSSEC)
dot at dotat.at
Thu Oct 16 10:52:59 UTC 2014
Thomas Goldberg <t.goldberg77 at gmail.com> wrote:
> Essentially we're looking for a way to inject DS records into a slave
> zone (transfered from another DNS server).
One way to do this is with my nsdiff script which was written to do a
similar job to inline-signing mode for older versions of BIND.
To set it up, you configure your BIND server as a master (instead of as a
slave) with dynamic updates and automatic signing turned on. You run
nsdiff in "bump-in-the-wire" mode which takes a zone transfer from a
hidden master (e.g. your windows server) and injects the changes into the
signer (BIND) using nsupdate.
To take control of DS records, use an option to make nsdiff ignore them:
nsdiff -i '^\S+\s+\d+\s+IN\s+DS\s+'
Then you can use nsupdate to inject the DS records into BIND. Then when
you run nsdiff it will propagate non-DNSSEC changes from Windows to BIND,
but it will leave the DS records alone.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.
More information about the bind-users