On 03/07/2023 19:36, Matthias Fechner wrote:
What I understood from the documentation: *-s* /server/[#/port/]I can maintain e.g. my zones from my local computer at home inside a git repository and use nsdiff and nspatch to push the changes to the server in the internet?
Correct.
Does the server then has the source file (fechner.net) or does the server only work with raw and the .jnl file?
By default, the primary server will end up with a `fetchner.net` zone data file in text format which contains the pretty much the same RRs as your master copy in git, but reformatted into a standard style, sorted into order and with comments stripped[*]. Plus added DNSKEY, CDS, CDNSKEY, RRSIG records from dnssec signing.
There will be a .jnl file for each zone with the latest updates to the zone -- in principle you can use rndc(8) to flush changes from the journal into the main zone file, but this isn't necessary if you're using nsupdate based methods exclusively to maintain the zone data.
[*] Unless you have configured `masterfile-format raw` in which case your zone files will be in binary format.
It I add a new zone, do I only need to configure it as master, define access to it and then upload the zone data via nspatch?
That should work, I think. Can't say for sure as I don't tend to add new zones much. You might need to start with a minimal zone file containing just SOA and NS records.
If that would all be possible, that technique can maybe also used to change letsencrypt verification to dns using the nsupdate command to get required information into the zone file.
Yes, I can confirm this works brilliantly with the dns-rfc2136 plugin.
That would definitely open a lot of new possibilities to put more automation the the full setup. ;)
I've found it works very well to exempt TLSA and SSHFP records from nsdiff management (ie. nsdiff -i 'TLSA|SSHFP' ...) and then use Ansible to generate the appropriate resource records from corresponding keys on each host and add them into the zone data using the community.general.nsupdate module.
Cheers,
Matthew
--
Dr Matthew J Seaman
1 Newland St, Eynsham, Witney, OXON, 0X29 4LB
OpenPGP_signature
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
