Say we have a bind9 server, and wish to update some DNS records remotely, without restarting the server.
RFC2136 defines a protocol and tooling to do it in a reasonably standard way.
# /etc/bind/named.conf
acl "trusted" {
127.0.0.0/8;
::1/128;
192.168.0.0/16;
10.0.0.0/8;
};
acl "outside" {
0.0.0.0/0;
::/0;
};
options {
directory "/var/bind";
pid-file "/ver/run/named/named.pid";
listen-on-v6 { any; };
listen-on { any; };
allow-query { any; };
allow-query-cache {
trusted;
};
allow-transfer {
trusted;
};
allow-update {
trusted;
};
empty-zones-enable yes;
forward first;
forwarders {
2001:4860:4860::8888; // Google
2001:4860:4860::8844;
}
dnssec-validation auto;
key-directory "/etc/bind/dnssec";
// Hide the server version
version "unknown";
};
include "/etc/bind/boop.key";
controls {
inet * port 953 allow {
trusted;
} keys {
"boop";
};
};
view "external" {
match-clients {
outside;
};
recursion no;
zone "boop.com" IN {
type master;
file "zones/boop.zone";
allow-query { any; };
allow-transfer { trusted; };
update-policy {
grant boop wildcard *.boop.com. TXT;
//grant boop name boop.com. A;
//grant boop wildcard *.boop.com. ANY;
};
inline-signing yes;
auto-dnssec maintain;
};
};
First, let’s generate a secret token to secure the update.
$ tsig-keygen -a HMAC-SHA512 boop | tee /etc/bind/boop.key
key "boop" {
algorithm hmac-sha512
secret "......"
}
Now, on another host on the trusted network.
Create an update file. update.txt
server 192.168.1.1 zone boop.com. key hmac-sha256:boop ....... update del foo.boop.com A update add foo.boop.com 3600 A 192.168.1.2 show send
And execute it with `nsupdate`
$ nsupdate ./update.txt
See man nsupdate for other update commands.
You can generate more keys, and tune the update-policy to more reasonable, fine grained control.
For example, you might want to restrict some clients to only have access to update certain records, types, zones or views.
references: https://certbot-dns-rfc2136.readthedocs.io/en/stable/