Batch updating all DNS records on my Bind server
Mark Andrews
marka at isc.org
Tue Apr 21 00:11:25 UTC 2020
Really all machines should be updating their own address records in the
DNS. Have each machine create a KEY record with its name. Install the
KEY record in the DNS. Use SIG(0) signed UPDATE requests to update the
address records.
update-policy {
grant * self . A AAAA KEY; // Allow the machine to update these records for itself
};
Mark
> On 21 Apr 2020, at 03:23, Chuck Aurora <ca at nodns4.us> wrote:
>
> On 2020-04-20 10:33, Warren Kumari wrote:
>> On Sat, Apr 18, 2020 at 12:52 PM Tony Finch <dot at dotat.at> wrote:
>>> @lbutlr <kremels at kreme.com> wrote:
>>> >
>>> > Is it possible to batch update all the domains? Looking at nsupdate it
>>> > looks like I have to step through and do every domain individually.
>>> An UPDATE request can change many records, so long as they are all in the
>>> same zone, and so long as they fit in the 64KB limit of DNS message size.
>>> I find one request is usually enough for routine changes, but if you are
>>> doing a bulk update to a large zone, you will need to split the changes
>>> across mulitiple update requests.
>>> You might find nsdiff helpful, both to verify that your bulk changes are
>>> what you expect, and because it will split large updates into multiple
>>> requests automatically. It's still one-zone-at-a-time, though. A
>>> quick-and-dirty starting point might be roughly
>>> dig axfr $zone |
>>> sed 's/oldprefix/newprefix/' |
>>> nsdiff $zone /dev/stdin |
>>> nsupdate -l
>>> https://dotat.at/prog/nsdiff/
>> Another option may be:
>> rndc sync
>> rndc freeze
>> rndc sync
>> [sed and awk[0] ]
>> rndc thaw
>
> The problem with freeze and thaw is that you lose your history. I like
> having history, and it won't hurt to have that in the future, when
> dealing with the ISP's next capricious reassignment. "On 2020-04-23[1]
> you moved us from x.x.x.x to y.y.y.y, and now again to z.z.z.z? We are
> paying for a static IP address, what does 'static' mean?"
>
> Another problem with that choice is that the zones are signed, and named
> will have to re-sign the whole zone in one go. I think (not sure) that
> with nsupdate the signing will happen one record at a time; or at least,
> only the relevant A / TXT(SPF) records with the changed IP address will
> need to be signed. Given that there are lots of zones being done in a
> loop, there could be a very high load on the server and drain on its
> pool of entropy.
>
> So yeah, I'd go with Tony's plan here. But I suppose the bottom line
> for this list is, "nsupdate can't do batches, you have to script it."
>
>> W
>> [0]: Now at this point I should have remembered that profound truism:
>> “Some people, when confronted with a Unix problem, think ‘I know,
>> I’ll use sed.’ Now they have two problems.” jwz - 12 Dec 1992
>
> LOL, yes, I thought that quote was about regular expressions, but
> either way it sure fits.
>
>
> [1] Shakespeare's death, 404 years ago; birth, 456 years ago, that day.
> What would the Bard do? "To sed, or not to sed, ..."
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list