Configuration management of BIND .conf
John Thurston
john.thurston at alaska.gov
Wed Sep 25 15:41:27 UTC 2024
Our 'special' zone definitions are less than 10kb (at the moment), so
the 64kb limit isn't an issue. And if it ever is, it can be broken up
into several 'included' .conf files.
The 255-character string limit isn't a problem with base64:
> base64 -w 250 special.conf | sed 's/^/"/;s/$/"/' | tr -d "\n"
will produce a value suitable for use as a TXT record. It could be
pasted into a static zone file, or piped through /nsupdate/. And then
our normal zone-distribution mechanisms will make the new value
available to everyone.
> dig +tcp +short TXT special.z.ex.com | tr -d '"' | tr -d " " | base64 -d -
Will retrieve the TXT record and turn back into special.conf
The serial number of zone 'z' would indicate there had been an update.
The 'include' segments couldn't have any secrets in them.
Signing the zone would demonstrate the validity of the record.
In the absence of dnssec, a second record with a /sha256sum/ would
demonstrate the large record had been retrieved correctly.
I like the idea of re-using the zone-replication mechanism to distribute
the .conf information. I do not like the idea of pulling information
from public DNS records for use as configuration data. While an
interesting idea at first glance, I don't think this looks like a good
idea when it is scrutinized.
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
On 9/25/2024 3:15 AM, Jan-Piet Mens wrote:
>> Do you have a script to base64 an 'included' .conf into a TXT record,
>> so it can be consumed elsewhere?
>
> That's an interesting idea (JP loves TXT records 😉, but do keep in
> mind that
> individual segments of a TXT may not be larger than 255 octets and the
> whole
> RRset not larger than 64k which could be limiting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240925/4cba110e/attachment.htm>
More information about the bind-users
mailing list