Lefteris Tsintjelis via bind-users <bind-users@lists.isc.org> wrote: > On 26/6/2019 17:39, Grant Taylor via bind-users wrote: > > Or are you wanting to update the zone contents without actually updating > > the zone file on disk? > > Yes, exactly this. That is the reason I changed the actual zone disk > file permissions to root thinking that files would not be modifiable, > but bind surprised me there. I did not expect to change the file > ownership from root to bind! The problem started with ACME actually as > it always messes up my disk zone files and have to always restore them. > I would still like to use something like that in small DDNS zones also, > serving just a few IPs only. Non disk writable/modifiable zones could > perhaps add a small layer of extra security as well.
If you have a dynamic zone then it's best to work as if the zone file belongs to `named`. I configure `masterfile-format raw;` which removes the temptation to look at the files directly. Instead I use `dig axfr` or `named-compilezone -j`. In most cases I keep the original source of the zone data elsewhere, e.g. a file stored in version control or a database, and I sync up the working copy of the zone with it source file using https://dotat.at/prog/nsdiff/ This also means I don't have to care about serial numbers or DNSSEC records because `named` takes care of those. (I have a few less complicated zones where I don't have a separate source file and instead use `nsvi` to edit the working copy.) You should have secondary servers for your zone, in which case ACME-related updates will be copied to the secondary and stored on disk there, so suppressing writes on the primary won't make any useful difference to how temporary the records are. There are other ways to keep temporary dynamic records separate from your fixed data, e.g. you can delegate _acme-challenge.<host> to a separate dynamic zone, or to reduce the proliferation of zones, make _acme-challenge.<hosts> CNAMEs to consolidate them into one separate dynamic zone. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Irish Sea: Variable mainly northeasterly 4 or 5, occasionally 6 in south and 3 in north. Slight or moderate in south, smooth or slight in north. Fair. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
