Really all machines should be updating their own address records in the DNS. Have each machine create a KEY record with its name. Install the KEY record in the DNS. Use SIG(0) signed UPDATE requests to update the address records.
update-policy { grant * self . A AAAA KEY; // Allow the machine to update these records for itself }; Mark > On 21 Apr 2020, at 03:23, Chuck Aurora <c...@nodns4.us> wrote: > > On 2020-04-20 10:33, Warren Kumari wrote: >> On Sat, Apr 18, 2020 at 12:52 PM Tony Finch <d...@dotat.at> wrote: >>> @lbutlr <krem...@kreme.com> wrote: >>> > >>> > Is it possible to batch update all the domains? Looking at nsupdate it >>> > looks like I have to step through and do every domain individually. >>> An UPDATE request can change many records, so long as they are all in the >>> same zone, and so long as they fit in the 64KB limit of DNS message size. >>> I find one request is usually enough for routine changes, but if you are >>> doing a bulk update to a large zone, you will need to split the changes >>> across mulitiple update requests. >>> You might find nsdiff helpful, both to verify that your bulk changes are >>> what you expect, and because it will split large updates into multiple >>> requests automatically. It's still one-zone-at-a-time, though. A >>> quick-and-dirty starting point might be roughly >>> dig axfr $zone | >>> sed 's/oldprefix/newprefix/' | >>> nsdiff $zone /dev/stdin | >>> nsupdate -l >>> https://dotat.at/prog/nsdiff/ >> Another option may be: >> rndc sync >> rndc freeze >> rndc sync >> [sed and awk[0] ] >> rndc thaw > > The problem with freeze and thaw is that you lose your history. I like > having history, and it won't hurt to have that in the future, when > dealing with the ISP's next capricious reassignment. "On 2020-04-23[1] > you moved us from x.x.x.x to y.y.y.y, and now again to z.z.z.z? We are > paying for a static IP address, what does 'static' mean?" > > Another problem with that choice is that the zones are signed, and named > will have to re-sign the whole zone in one go. I think (not sure) that > with nsupdate the signing will happen one record at a time; or at least, > only the relevant A / TXT(SPF) records with the changed IP address will > need to be signed. Given that there are lots of zones being done in a > loop, there could be a very high load on the server and drain on its > pool of entropy. > > So yeah, I'd go with Tony's plan here. But I suppose the bottom line > for this list is, "nsupdate can't do batches, you have to script it." > >> W >> [0]: Now at this point I should have remembered that profound truism: >> “Some people, when confronted with a Unix problem, think ‘I know, >> I’ll use sed.’ Now they have two problems.” jwz - 12 Dec 1992 > > LOL, yes, I thought that quote was about regular expressions, but > either way it sure fits. > > > [1] Shakespeare's death, 404 years ago; birth, 456 years ago, that day. > What would the Bard do? "To sed, or not to sed, ..." > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users