The Usual Tech Ramblings

Bind, Dynamic Zones, and Updates

I’ve recently moved my primary domain over to a dynamic zone. I did this to allow for me to do some tweaking remotely, and auto-updating (using keys) for certain DNS records so I can connect to my network at home if I want to access resources here. This led to an interesting issue with updating the zone files…

Usually editing is pretty easy, open the file in vim, update the records I want to change/add, save, then reload the zone file, using rndc reload [zone]. This usually works out okay. I say “usually” because dynamic zones are slightly different.

Inside my named.conf file, I define the configurations with a key, and a zone which allows updating. The key section looks like this:

key "myupdatekey" {
    algorithm hmac-md5;
    secret "somerandomkeysgeneratedusingfunction==";

This allows the zone updates to be secured to only machines that know the key1. Then we have the zone section that defines allowing the zone to be updated…

zone "" {
    allow-update {
        key myupdatekey;
    type master;
    file "pri/";
    notify yes;

This then allows me to use a nifty php script, and some dandy work with DD-WRT, I can now dynamically update this domain2.

This is all great, however, when you try updating a zone file that Bind thinks is dynamic, then reloading it, bind throws an error…

# rndc reload
rndc: 'reload' failed: dynamic zone

This reminds you that it won’t allow you to reload a dynamic zone. So you have to tell bind to temporarily stop allowing dynamic updates. This is handled with the freeze option.

rndc freeze

You won’t see any status reporting it did anything unless you checkout the syslogs, where you’ll see something like this:

Aug 22 00:15:59 titan named[5642]: freezing zone '': success

Now you’re free to edit the zone file using your favorite editor once again. When you’re satisfied with all your changes, you need to tell bind to reload, and allow dynamic updates again. To get things going, just thaw your zone…

rndc reload
rndc thaw

If you have secondary servers setup, and you have notify enabled, you should see this in your logs…

Aug 22 00:56:40 titan named[5642]: zone loaded serial 2008082101                                                    
Aug 22 00:56:40 titan named[5642]: zone sending notifies (serial 2008082101)    
Aug 22 00:56:47 titan named[5642]: thawing zone': success 

Now Bind will allow dynamic zone updates again, and you now have your new/modified entries in your zone configurations.

  1. Key was generated using tools shipped with bind, details are in the [manual][2]

  2. I’m still in the process of writing up the details on that