Allow only temporary zone updates without making them permanent

Lefteris Tsintjelis lefty at spes.gr
Wed Jun 26 17:47:04 UTC 2019 

On 26/6/2019 20:25, Tony Finch wrote:
> Lefteris Tsintjelis via bind-users <bind-users at lists.isc.org> wrote:
>> On 26/6/2019 17:39, Grant Taylor via bind-users wrote:
>>> Or are you wanting to update the zone contents without actually updating
>>> the zone file on disk?
>>
>> Yes, exactly this. That is the reason I changed the actual zone disk
>> file permissions to root thinking that files would not be modifiable,
>> but bind surprised me there. I did not expect to change the file
>> ownership from root to bind! The problem started with ACME actually as
>> it always messes up my disk zone files and have to always restore them.
>> I would still like to use something like that in small DDNS zones also,
>> serving just a few IPs only. Non disk writable/modifiable zones could
>> perhaps add a small layer of extra security as well.
> 
> If you have a dynamic zone then it's best to work as if the zone file
> belongs to `named`. I configure `masterfile-format raw;` which removes the
> temptation to look at the files directly. Instead I use `dig axfr` or
> `named-compilezone -j`.
> 
> In most cases I keep the original source of the zone data elsewhere, e.g.
> a file stored in version control or a database, and I sync up the working
> copy of the zone with it source file using https://dotat.at/prog/nsdiff/
> This also means I don't have to care about serial numbers or DNSSEC
> records because `named` takes care of those.
> 
> (I have a few less complicated zones where I don't have a separate source
> file and instead use `nsvi` to edit the working copy.)
> 
> You should have secondary servers for your zone, in which case
> ACME-related updates will be copied to the secondary and stored on disk
> there, so suppressing writes on the primary won't make any useful
> difference to how temporary the records are.

Yes, I have done just about most of them already for large zones so I am
not worried about loosing anything. But besides the messy ACME update
file zone results, it was the idea of the unauthorized file ownership
change that kind of started to worry me there as well.

> There are other ways to keep temporary dynamic records separate from your
> fixed data, e.g. you can delegate _acme-challenge.<host> to a separate
> dynamic zone, or to reduce the proliferation of zones, make
> _acme-challenge.<hosts> CNAMEs to consolidate them into one separate
> dynamic zone.

This is exactly what I try to do in and keep dynamic things completely
separate from fixed. That is an excellent idea and takes care of the
dynamic ACME problem!

Thank you

Lefteris

More information about the bind-users mailing list