Am 02.07.2023 um 16:41 schrieb Matthew Seaman:
Personally, I maintain zone files with DNSSEC signing on FreeBSD using
the dns/p5-DNS-nsdiff port, which is a perl module written by Tony
Finch -- someone well known on this list.
You can keep your zone files in git or whatever code repository suits
you. nsdiff will compare what's live in your DNS zone against whats in
your updated zone file and generate a script for nsupdate(1) to make
the former match the latter.
You'll need to configure appropriate levels of access for nsupdate(1).
That can be from pretty much any machine given you set up zone
policies and distribute keys appropriately. Although if you run nsdiff
directly on your primary DNS machine, you should be able to use the
built-in /var/run/named/session.key with a per-zone policy like:
```
update-policy {
grant local-ddns zonesub any;
};
```
See the '-l' flag to nsupdate(1)
thanks, that is very interesting information.
What I understood from the documentation:
*-s* /server/[#/port/]
I can maintain e.g. my zones from my local computer at home inside a git
repository and use nsdiff and nspatch to push the changes to the server
in the internet?
Does the server then has the source file (fechner.net) or does the
server only work with raw and the .jnl file?
It I add a new zone, do I only need to configure it as master, define
access to it and then upload the zone data via nspatch?
If that would all be possible, that technique can maybe also used to
change letsencrypt verification to dns using the nsupdate command to get
required information into the zone file.
That would definitely open a lot of new possibilities to put more
automation the the full setup. ;)
Gruß
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
