Paul van der Vlis via bind-users wrote: > But how could I refresh the key without loosing the IP?
I was in a similar situation. I managed my zone files mostly manually, but a few records needed to be updated automatically. Either manual changes would obliterate automatically updated records, as you found, or else automatic updates would cause Bind to rearrange the zone files and lose all comments, making manual editing much harder. I have arrived at what I think is a working solution. I'm still monitoring to see how it works. I now make all changes through dynamic updates (like with nsupdate), using different TSIG keys with different privileges in update-policy. Signing and key rotation are handled automatically by Bind, using dnssec-policy. I use nsdiff (https://dotat.at/prog/nsdiff/) and nsupdate to apply manual changes. That way I still have hand-written zone files with comments, so I can keep an overview, but Bind never sees them. The zone files that Bind uses are managed by Bind and don't need to be easy to read. I have a wrapper script that calls nsdiff to compare each hand- written zone file to the corresponding zone on the server, specifying a pattern with -i to tell nsdiff which records are managed in other ways. The wrapper then displays the changes, asks for approval, and then applies the changes through nsupdate. My TSIG key for manual changes, which has much greater privileges than the keys for specific automatic updates, is stored in an encrypted keyring managed with Pass (https://www.passwordstore.org/). My wrapper requests the key from Pass – which requires me to type the master passphrase – and passes it to nsdiff and to nsupdate using pipes so that the decrypted key is never written to even a temporary file. I found that inline-signing breaks nsdiff. I recommend an explicit "inline-signing no;" in each zone to prevent problems. Bind will then not keep an unsigned version of the zone, and it doesn't need to when all changes are made through dynamic updates. Björn Persson
pgpZuA42cOsQH.pgp
Description: OpenPGP digital signatur
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
