Any clients with direct BIND zone update capability?

Hello!

This week I’ve been learning letsencrypt and figuring out what I’ll need to do so that I can automate my setup.

Certbot has been a real challenge. It’s just the wrong tool for me and my environment.

My biggest issue is updating my BIND DNS zone data. I see many people are using dynamic DNS, but I want to try to stick to programmatically inserting a new TXT record into the zone files and calling a rndc reload.

Is anyone else doing this? Are there any clients that support manipulating BIND DNS zone files directly? I have not seen anything thus far and that’s somewhat surprising, even if BIND is crufty and old.

Thanks!

I don’t use bind with certbot but I did find this on the interwebs that seems to do what you ask:

RFC2136 = dynamic DNS. I want to edit the zone files directly. But thanks for trying.

Like I said, I have not seen anything anywhere trying to do this.

There are good reasons why this is. BIND zone files were not really designed for programmatic editing in mind.

Still it’s not too hard ti find the SOA and serial number and increment that. Then it’s just a matter of adding and removing a specific line. Still gotta worry about locking the file, revision control, and other such nonsense.

Still I’m intent on doing it the hard way because converting my infrastructure would be even more difficult.

Certbot can perform authentication however you like: https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks

I think the difficulty in making a generalized solution comes from loading and saving arbitrary master files. The format might be documented in RFC1035, but everything else is basically custom and depends on the nameserver and even how a particular OS packages a nameserver. That’s the good thing about RFC2136 - very little ambiguity in comparison.

So aside from a generalized solution, you can make a very specific solution. Specific in that you know you only need it for a certain domain, you know that your zone files are formatted in a certain way, that no other processes are modifying the zones, etc.

Say you had zonefiles where the serial was always commented with e.g.:

2019030446 ;Serial Number

You could get away with something like:

#!/usr/bin/env bash

# Identify the zonefile from the domain.
ZONE=""
if [[ "${CERTBOT_DOMAIN}" =~ example\.com$ ]]; then
  ZONE="example.com"
fi
ZONEFILE="/var/named/db.${ZONE}.conf"
CONTENTS=$(<$ZONEFILE)

# The line that we either need to add or delete
LINE="_acme-challenge.${CERTBOT_DOMAIN}. 1 IN TXT \"${CERTBOT_VALIDATION}\""

case "$1" in
  auth)
    # Add the line
    CONTENTS="${CONTENTS}\n${LINE}\n"
    ;;
  cleanup)
    # Remove the line
    CONTENTS="${CONTENTS/$LINE/}"
    ;;
esac

# Bump the serial
CONTENTS=$(echo -e"${CONTENTS}" | /usr/bin/perl -pe 's/(\d+)( ;Serial Number)/($1+1).$2/e')

# Save the zonefile
echo -e "${CONTENTS}" > ${ZONEFILE}

# Reload the nameserver and pray we didn't mess the zonefile up
/usr/sbin/rndc reload

and

certbot certonly --manual --preferred-challenges dns-01 \
--manual-auth-hook "/path/to/auth.sh auth" \
--manual-cleanup-hook "/path/to/auth.sh cleanup" \
-d example.com -d "*.example.com"

Maybe this will be enough to convince you that migrating to RFC2136 is easier :laughing:.

Perhaps you don’t have to reinvent the BIND wheel…
You could also use a mixed scenario where you use the existing BIND servers as slaves/secondary to any new “easier” DNS server system which can be inserted as the zone master/primary.

Hmmm. I’m misunderstanding something I guess. You might read the
materials at

https://si.w5gfe.org/

to see if they generate any ideas.

This is unhelpful. In the future please don't suggest solutions that I explicitly asked to avoid. My post said no dynamic DNS. Your solution uses dynamic DNS.

This is what I want to do, though this is a very simple example. That's at least a start, so thank you. This actually addresses what I want to do, instead of suggesting something I explicitly said I don't want to do (dynamic DNS).

Finding the serial number in the SOA isn't hard due to the format standard. We can just look like the int string and it will be delineated with some kind of whitespace character on each end. ++ it and done.

The record is one line and has a unique identifier via the " _acme-challenge." string, so we can easily identify it when cleaning up and just remove the whole line.

No problem. I am unlikely to offer another suggestion to you.

AHA! I found it!

I knew I could remember some tool in a zone editor that I had used years ago.

https://metacpan.org/source/AZS/zsu-1.20/zsu

Inserting and removing the TXT record is trivial since it’s line-based, but BIND makes things difficult for the SOA record by supporting ()-based multi-line records and in-line ; comments. Also the first two values, usually @ and IN, are optional, so yea writing a parser for that is super fun.

1 Like

Pretty cool - as you say, it even works with multi-line SOA with interspersed comments! So you could probably just replace the serial bumping part with that and be done with it.

Maybe also adding a routine to recursively query for SOA to find what the required zonefile is for any domain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.