Using RNDC to control remote access to my BIND server

Greg Donohoe dubgregd at
Fri Apr 23 09:50:53 UTC 2021

Thank you for the suggestions. I am looking into those now.
Yes we can run nsupdate again on the remote server but I would still need
to connect to the remote server to do this.
We were thinking of using SSH to the remote server but we want to explore
any other option rather than SSH for the secure connection.
I was thinking that it may be possible to use RNDC or some other tool to
update the remote BIND server zone files (either by modifying the zone file
that is already there or replacing the zone file with the new one I created
RNDC looks like it is a non starter for what I want but nsdiff may be a
good option.


On Thu, Apr 22, 2021 at 8:38 PM Tony Finch <dot at> wrote:

> Greg Donohoe <dubgregd at> wrote:
> > I have created a CI/CD pipeline in order to amend zone files using
> nsupdate
> > based on a front end user request. This portion of the pipeline is
> working
> > as expected so now I want to be able to connect from my pipeline runner
> to
> > my remote BIND staging server and update the zone files on there with my
> > newly updated zone file.
> If you want to make the same change on the remote server that you made
> locally, can't you use nsupdate again but point it at the remote server?
> Or is there something more complicated going on?
> Use ddns-keygen to create a TSIG authentication key and add the key to the
> allow-update ACL on the remote server.
> (You can also add your own TSIG keys to allow remote control with `rndc
> -s`, but it sounds to me like rndc is a red herring.)
> There's also my `nsdiff` program
> which can make a zone on a remote server look like a local zone
> file using nsupdate.
> Tony.
> --
> f.anthony.n.finch  <dot at>
> North Utsire, South Utsire: Northerly or northwesterly 4 to 6,
> occasionally 7 at first in eastern South Utsire. Rough at first in
> eastern South Utsire, otherwise moderate. Showers. Good.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list