Hello,
Some preamble: Some time ago I created an open source DNS admin web GUI
*1 that is basically a wrapper around dig and nsupdate that allows
people with "less CLI knowledge" to easily manipulate DNS records. The
main reason for this was that in our corporation we have about 400
internal DNS zones hosted on over 100 different BIND master servers, in
more than 10 countries around the planet and this tool allowed us to
unify the management as it allowed integration with different master
servers, allow granular role based access for individual zones
(integrated with LDAP groups), including some web API for our automation
tools etc.
Now to the actual problem: as I said, this tool is just a wrapper around
nsupdate and dig, I like it that way because it's non-invasive, unlike
other similar DNS admin panels, it doesn't require ANY changes on DNS
server configuration and it integrates well with other solutions already
in place. The problem I have however, is, that nsupdate was created as a
tool for humans, rather than machines and parsing its output and even
giving it input is very hard. Plus some things don't even seem to be
possible in it.
Is there any alternative to nsupdate, something that can work with XML
or JSON payloads or provide output in such machine parseable format? For
example, typical problem I am facing right now - is that nsupdate
silently ignores things that IMHO shouldn't be ignored - for example
when someone try to add a record that already exists, or try to add an A
record over CNAME, nsupdate silently ignores this, even in debug output
I can't see any difference, in first send the record is created,
resulting in NOERROR, in second identical send, update is ignored
resulting in NOERROR, so I have no way to tell users of my app that
record was not in fact created or changed (because it already exists).
For example:
Here is operation where I first add a CNAME record and then try to add
same A record (imagine two different users were doing this so user B was
unaware that CNAME already exists) you can see in both cases nsupdate
respond with same answer, despite record is created only in first case.
And on top of that this answer is not easy to machine parse.
> debug
> update add petrbena.test.zone. 600 CNAME this.is.test.
> send
Sending update to 10.15.12.17#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 48433
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;test.zone. IN SOA
;; UPDATE SECTION:
petrbena.test.zone. 600 IN CNAME this.is.test.
;; TSIG PSEUDOSECTION:
server. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1585729680 300 16
xx== 48433 NOERROR 0
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 48433
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;test.zone. IN SOA
;; TSIG PSEUDOSECTION:
server. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1585729680 300 16
xx== 48433 NOERROR 0
> update add petrbena.test.zone. 600 A 0.0.0.0
> send
Sending update to 10.15.12.17#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 30709
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;test.zone. IN SOA
;; UPDATE SECTION:
petrbena.test.zone. 600 IN A 0.0.0.0
;; TSIG PSEUDOSECTION:
server. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1585729721 300 16
xx== 30709 NOERROR 0
Is there any alternative to nsupdate that can do this? Or some newer
version of nsupdate that can acomplish this?
Thanks
*1 https://github.com/benapetr/dnsphpadmin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
