Dynamic zone with fixed include of DKIM entries on server

Mon Dec 1 04:00:17 UTC 2025

Dear all,

In my not used old approach I had my zones on my server and used vi to 
update them if changes were required.
At this time, I just included required DKIM entries using an include 
command in the zone:

|$INCLUDE fechner.net.dkim.txt |

This file is automatically generated on the server by rspamd and was 
very convenient.
If the dkim key changed for whatever reason, I just bumped the serial of 
the zone and reloaded it using rndc.

I decided some years ago to change that well working procedure due to 
several reasons:
- usage of DNSSEC
- track changes on zones using git
- manage the zones on another machine and just update the zone on the 
real server using nsdiff and nsupdate
- automatic zone updates based on commits in the zones repository
- usage of DNS-01 validation for wildcard SSL certificates
- and many other reasons

So I converted my zones into a "dynamic" zone so I can update it using 
nsdiff and nsupdate approach which works very nicely.
To prevent dehydrated (which I use to manage my letsencrypt 
certificates) that it can damage my zone I decided to delegate this acme 
challenge into an extra zone file with an extra key file.

So it looks like this:
zone "fechner.net" {
         type master;
         file "/usr/local/etc/namedb/master/fechner.net/fechner.net";
         allow-transfer { secondard-servers; key fechner.net;};
         dnssec-policy "one-year-zsk";
         inline-signing no;
         allow-update { key fechner.net;};
};

zone "_acme-challenge.fechner.net" {
         type master;
         file 
"/usr/local/etc/namedb/master/fechner.net/_acme-challenge.fechner.net";
         masterfile-format text;
         allow-update { key acme_fechner.net; };
};

Now I want to automate the complete management partly using saltstack.

What do you suggest, how should I handle the DKIM part?
I would like to have the keys on the server (and not in saltstack, as 
they must not be permanent, they must only be consistent), so no need to 
have even the public part in my git repository for the zones.

What kind of solution do you suggest?

Should I also delegate the DKIM part into its own zone file where I 
maybe can use the $INCLUDE feature?

Any comments are welcome!

Thanks a lot
Matthias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20251201/a6f16403/attachment.htm>