(Part 4 - Managing dynamic DNS zones)
Created: 2021-05-19 Wed 16:48
Welcome to part four of our BIND 9 webinar series
I
is for Incremental Zone Transfer (RFC 1995)N
is for NOTIFY (RFC 1996)D
is for Dynamic Update (RFC 2136)
nsupdate
) check the syntax
before sending the update
A
, AAAA
, and PTR
records
to reflect the leases they give out.mname
field to
the NS RRset.mname
matches an NS RR, the update is sent there.
allow-update {};
in the named.conf
configuration file enables
DDNS.
zone "example.com" { type primary; file "example.com"; allow-update { 192.0.2.68; }; };
serial-update-method ( date | increment | unixtime );
increment
: simple bump (the default).date
: YYYYMMDDnn. nn starts at zero and increments.unixtime
: standard unixtime in seconds.options
block or view
block, or
specific to a zone
block..jnl
.zone "example.com" { type primary; file "example.com"; allow-update { key dhcp-server; }; journal "/fast-disk/example.com.jnl" max-journal-size 200M; };
named-journalprint <journalfile>
% named-journalprint zone02.dane.onl.jnl del zone02.dane.onl. 30 IN SOA server02.dane.onl. hm.zone02.dane.onl. 2016011308 7200 3600 5184000 30 del me.zone02.dane.onl. 30 IN TXT "my birthday! go me!" add zone02.dane.onl. 30 IN SOA server02.dane.onl. hm.zone02.dane.onl. 2016013100 7200 3600 5184000 30 add me.zone02.dane.onl. 30 IN TXT "hi there"
nsupdate
to make changes to a dynamic zone.rndc freeze <zone>
rndc thaw <zone>
nsupdate
is a BIND application for sending dynamic changes to a server.
update add
update delete
send
update
prepares RRs changes, send
executes them.$ nsupdate nsupdate.input.file $ nsupdate < nsupdate.input.file
$ nsupdate >
$ nsupdate > show Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >
update add
prepares a resource record to be added to a zone.
> update add a.example.com IN A 192.0.2.1 ttl 'IN': not a valid number > update add a.example.com 3600 IN A 192.0.2.1 > ttl 3600 > update add a.example.com AAAA 2001:db8:0:deaf::1 > show Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: a.example.com. 3600 IN A 192.0.2.1 a.example.com. 3600 IN AAAA 2001:db8:0:deaf::1 > send
update delete
prepares resource records to be deleted.
> update delete b.example.com. 1800 A 192.0.2.99 > update delete example.net. MX 15 mailserver.example.net. > show Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: b.example.com. 0 NONE A 192.0.2.99 example.net. 0 NONE MX 15 mailserver.example.net.
update delete
: Providing the RTYPE without RDATA, deletes a
resource record set (RRset).> update delete b.example.com. AAAA > update delete c.example.com IN SRV > show Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: b.example.com. 0 NONE A 192.0.2.99 example.net. 0 NONE MX 15 mailserver.example.net. b.example.com. 0 ANY AAAA c.example.com. 0 ANY SRV >
update delete
: Omitting RTYPE and RDATA deletes all resource
record sets for that domain name.> update delete d.example.com. > show Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: b.example.com. 0 NONE A 192.0.2.99 example.net. 0 NONE MX 15 mailserver.example.net. b.example.com. 0 ANY AAAA c.example.com. 0 ANY SRV d.example.com. 0 ANY ANY
update
is optional.> delete www.example.com. A > add www.example.com. 600 A 192.0.2.80 > add www.example.com. 600 A 192.0.2.88
send
- Transmit the prepared updates to the authoritative server.
> send
answer
- shows the results received from the server after a send
.> send update failed: REFUSED > answer Answer: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13117 ;; flags: qr; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >
prereq nxdomain <domain name>
- requires that "domain name"
doesn't exist (no resource records of any type).> prereq nxdomain www.example.com > update add www.example.com 3600 CNAME example.com. > send
prereq yxdomain <domain name>
- requires that "domain name" does
exist.> prereq yxdomain www.example.com > update add web.example.com 3600 CNAME www.example.com. > send
server <servername or IP> [port]
- specifies the authoritative
server that will receive the update.
nsupdate
uses MNAME
from the SOA RR and port 53.> server ns0.example.com
local <IP address> [port]
- specifies the outgoing IP address.
This is useful for multi-homed machines, especially when IPv6 is
used, and when the server limits updates to specific IPs.> local 2001:db8:100:0:ff:aa01:42:12:feaa
zone <zonename>
- specify the zone to be changed.
$ nsupdate > zone example.com. > update add ns1.subdomain.example.com. 3600 IN A 192.0.2.53 > update add ns2.subdomain.example.com. 3600 IN A 203.0.113.53 > send
MNAME
, is not sent a
NOTIFY.
NOTIFY
is on by default.For a secondary not used as a downstream primary, it can be disabled:
options { NOTIFY no; };
To disable NOTIFY
for a particular zone:
zone "example.com"; type secondary; masters { 192.0.2.110; }; file "bak.example.com"; NOTIFY no; };
Adding an address to the NOTIFY
list for all zones:
options { also-NOTIFY { 192.0.2.120; }; };
Adding an address to the NOTIFY list for a particular zone:
zone "example.com" { type primary; file "example.com"; also-NOTIFY { 192.0.2.120; }; };
To NOTIFY only name servers listed in also-NOTIFY
:
options { also-NOTIFY { 192.0.2.120; }; NOTIFY explicit; };
To NOTIFY only name servers listed in also-NOTIFY
:
zone "example.com" { type primary; file "example.com"; also-NOTIFY { 192.0.2.120; }; NOTIFY explicit; };
$ dig +short soa dane.onl authoritative.dane.onl. hostmaster.dane.onl. 2013081127 7200 1800 3542400 30 % nsupdate -l > update add zzz.dane.onl 30 TXT "Zees" > send > quit
$ dig +noall +answer dane.onl ixfr=2013081127 @::1 | grep -Ev 'RRSIG|NSEC' dane.onl. 40 IN SOA authoritative.dane.onl. hostmaster.dane.onl. 2013081128 7200 1800 3542400 30 dane.onl. 40 IN SOA authoritative.dane.onl. hostmaster.dane.onl. 2013081127 7200 1800 3542400 30 dane.onl. 40 IN SOA authoritative.dane.onl. hostmaster.dane.onl. 2013081128 7200 1800 3542400 30 zzz.dane.onl. 30 IN TXT "Zees" dane.onl. 40 IN SOA authoritative.dane.onl. hostmaster.dane.onl. 2013081128 7200 1800 3542400 30
$ dig +noall +answer dane.onl ixfr=2013081127 @::1 | grep -Ev 'RRSIG|NSEC' dane.onl. 40 IN SOA authoritative.dane.onl. hostmaster.dane.onl. 2013081128 7200 1800 3542400 30 dane.onl. 40 IN SOA authoritative.dane.onl. hostmaster.dane.onl. 2013081127 7200 1800 3542400 30 dane.onl. 40 IN SOA authoritative.dane.onl. hostmaster.dane.onl. 2013081128 7200 1800 3542400 30 zzz.dane.onl. 30 IN TXT "Zees" dane.onl. 40 IN SOA authoritative.dane.onl. hostmaster.dane.onl. 2013081128 7200 1800 3542400 30
dig @<Auth-Server> <Domain-Name> ixfr=2 FQDN [...] SOA 6 7200 3600 5184000 30 FQDN [...] SOA 2 [...] FQDN [...] SOA 3 [...] FQDN [...] FQDN [...] SOA 3 [...] FQDN [...] FQDN [...] SOA 4 [...] FQDN [...] FQDN [...] FQDN [...] SOA 4 [...] FQDN [...] FQDN [...] FQDN [...] SOA 5 [...] FQDN [...] SOA 5 [...] FQDN [...] SOA 6 [...] FQDN [...] SOA 6 7200 3600 5184000 30
ixfr-from-differences yes;
in a zone stanza to create a
journal for a non-dynamic zone.nsdiff
/ nspatch
/ nsvi
Homepage:
https://dotat.at/prog/nsdiff/
nsvi
first loads the zone content from the primary
authoritative DNS server of the zonevi
) on the zone contentnsvi
will check the zone with named-checkzone
nsupdate
and sends dynamic updates to the primary DNS server