Machine friendly alternative to nsupdate

Petr Bena petr at bena.rocks
Wed Apr 1 09:07:57 UTC 2020


Hello,

Some preamble: Some time ago I created an open source DNS admin web GUI 
*1 that is basically a wrapper around dig and nsupdate that allows 
people with "less CLI knowledge" to easily manipulate DNS records. The 
main reason for this was that in our corporation we have about 400 
internal DNS zones hosted on over 100 different BIND master servers, in 
more than 10 countries around the planet and this tool allowed us to 
unify the management as it allowed integration with different master 
servers, allow granular role based access for individual zones 
(integrated with LDAP groups), including some web API for our automation 
tools etc.

Now to the actual problem: as I said, this tool is just a wrapper around 
nsupdate and dig, I like it that way because it's non-invasive, unlike 
other similar DNS admin panels, it doesn't require ANY changes on DNS 
server configuration and it integrates well with other solutions already 
in place. The problem I have however, is, that nsupdate was created as a 
tool for humans, rather than machines and parsing its output and even 
giving it input is very hard. Plus some things don't even seem to be 
possible in it.

Is there any alternative to nsupdate, something that can work with XML 
or JSON payloads or provide output in such machine parseable format? For 
example, typical problem I am facing right now - is that nsupdate 
silently ignores things that IMHO shouldn't be ignored - for example 
when someone try to add a record that already exists, or try to add an A 
record over CNAME, nsupdate silently ignores this, even in debug output 
I can't see any difference, in first send the record is created, 
resulting in NOERROR, in second identical send, update is ignored 
resulting in NOERROR, so I have no way to tell users of my app that 
record was not in fact created or changed (because it already exists). 
For example:

Here is operation where I first add a CNAME record and then try to add 
same A record (imagine two different users were doing this so user B was 
unaware that CNAME already exists) you can see in both cases nsupdate 
respond with same answer, despite record is created only in first case. 
And on top of that this answer is not easy to machine parse.

 > debug
 > update add petrbena.test.zone. 600 CNAME this.is.test.
 > send
Sending update to 10.15.12.17#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 48433
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;test.zone.            IN    SOA

;; UPDATE SECTION:
petrbena.test.zone.    600    IN    CNAME    this.is.test.

;; TSIG PSEUDOSECTION:
server. 0    ANY    TSIG    hmac-md5.sig-alg.reg.int. 1585729680 300 16 
xx== 48433 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 48433
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;test.zone.            IN    SOA

;; TSIG PSEUDOSECTION:
server. 0    ANY    TSIG    hmac-md5.sig-alg.reg.int. 1585729680 300 16 
xx== 48433 NOERROR 0

 > update add petrbena.test.zone. 600 A 0.0.0.0
 > send
Sending update to 10.15.12.17#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 30709
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;test.zone.            IN    SOA

;; UPDATE SECTION:
petrbena.test.zone.    600    IN    A    0.0.0.0

;; TSIG PSEUDOSECTION:

server. 0    ANY    TSIG    hmac-md5.sig-alg.reg.int. 1585729721 300 16 
xx== 30709 NOERROR 0


Is there any alternative to nsupdate that can do this? Or some newer 
version of nsupdate that can acomplish this?

Thanks


*1 https://github.com/benapetr/dnsphpadmin



More information about the bind-users mailing list