Batch updating all DNS records on my Bind server

Mark Andrews marka at
Tue Apr 21 00:11:25 UTC 2020

Really all machines should be updating their own address records in the
DNS.  Have each machine create a KEY record with its name.  Install the
KEY record in the DNS.  Use SIG(0) signed UPDATE requests to update the
address records.

update-policy {
	grant * self . A AAAA KEY; // Allow the machine to update these records for itself


> On 21 Apr 2020, at 03:23, Chuck Aurora <ca at> wrote:
> On 2020-04-20 10:33, Warren Kumari wrote:
>> On Sat, Apr 18, 2020 at 12:52 PM Tony Finch <dot at> wrote:
>>> @lbutlr <kremels at> wrote:
>>> >
>>> > Is it possible to batch update all the domains? Looking at nsupdate it
>>> > looks like I have to step through and do every domain individually.
>>> An UPDATE request can change many records, so long as they are all in the
>>> same zone, and so long as they fit in the 64KB limit of DNS message size.
>>> I find one request is usually enough for routine changes, but if you are
>>> doing a bulk update to a large zone, you will need to split the changes
>>> across mulitiple update requests.
>>> You might find nsdiff helpful, both to verify that your bulk changes are
>>> what you expect, and because it will split large updates into multiple
>>> requests automatically. It's still one-zone-at-a-time, though. A
>>> quick-and-dirty starting point might be roughly
>>>        dig axfr $zone |
>>>        sed 's/oldprefix/newprefix/' |
>>>        nsdiff $zone /dev/stdin |
>>>        nsupdate -l
>> Another option may be:
>> rndc sync
>> rndc freeze
>> rndc sync
>> [sed and awk[0] ]
>> rndc thaw
> The problem with freeze and thaw is that you lose your history.  I like
> having history, and it won't hurt to have that in the future, when
> dealing with the ISP's next capricious reassignment.  "On 2020-04-23[1]
> you moved us from x.x.x.x to y.y.y.y, and now again to z.z.z.z?  We are
> paying for a static IP address, what does 'static' mean?"
> Another problem with that choice is that the zones are signed, and named
> will have to re-sign the whole zone in one go.  I think (not sure) that
> with nsupdate the signing will happen one record at a time; or at least,
> only the relevant A / TXT(SPF) records with the changed IP address will
> need to be signed.  Given that there are lots of zones being done in a
> loop, there could be a very high load on the server and drain on its
> pool of entropy.
> So yeah, I'd go with Tony's plan here.  But I suppose the bottom line
> for this list is, "nsupdate can't do batches, you have to script it."
>> W
>> [0]: Now at this point I should have remembered that profound truism:
>> “Some people, when confronted with a Unix problem, think ‘I know,
>> I’ll use sed.’ Now they have two problems.” jwz - 12 Dec 1992
> LOL, yes, I thought that quote was about regular expressions, but
> either way it sure fits.
> [1] Shakespeare's death, 404 years ago; birth, 456 years ago, that day.
>    What would the Bard do?  "To sed, or not to sed, ..."
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at

More information about the bind-users mailing list