Interactive nsupdate

This script allows to interactively edit DNS records with RFC2136, a HMAC key and nsupdate.

Requirements

dig
nsupdate
diff
colordiff
named-checkzone
A HMAC key which is allowed to perform update and transfer to a DNS zone

Install packages on Ubuntu

apt install dnsutils diffutils colordiff bind9utils

`named-checkzone` was not found but package is installed

On Debian named-checkzone is located in /usr/sbin. As normal user you need to add the path to your $PATH variable or create a synlink in /usr/bin so that the Shell and the Tool can find the executable.

Parameters

usage: nsupdate-interactive.py [-h] (--zone example.com | --get-zone-slug example.com) [--dnsserver ns1.example.com]
                               [--ignore-rrtype RRSIG]

nsupdate-interactive

optional arguments:
  -h, --help            show this help message and exit
  --zone example.com    The zone name
  --get-zone-slug example.com
                        Slugify a zone name for hmac key envs
  --dnsserver ns1.example.com
                        DNS server to use
  --ignore-rrtype RRSIG
                        Ignore RR types, can be used multiple times

Per default, the following RR types will be ignored:
DNSKEY, RRSIG, NSEC, TYPE65534, CDS, CDNSKEY

Multiple HMAC Keys

Define multiple HMAC keys as environment variables as follows:

./src/nsupdate-interactive.py --get-zone-slug hüpf.net
HMAC_XN__HPF_HOA_NET
./src/nsupdate-interactive.py --get-zone-slug serverless.industries
HMAC_SERVERLESS_INDUSTRIES

export HMAC_XN__HPF_HOA_NET=hmac-sha256:my-huepfnet-keyname:THEKEYINBASE64FORMAT
export HMAC_SERVERLESS_INDUSTRIES=hmac-sha256:my-serverless-keyname:THEKEYINBASE64FORMAT

Then the script will look automatically for a per-domain HMAC key:

./nsupdate-interactive.py --zone nerdbridge.de

How it work

HMAC=hmac-sha256:my-awesome-keyname:THEKEYINBASE64FORMAT
./nsupdate-interactive.py --zone example.com

The script will detect the authoritative name server of the specified zone by its SOA record and will generate a pretty formatted zone file. The file will be opened in $EDITOR (fallback is nano) afterwards.

After saving the file it will show a diff:

--- nsupdate_ns1.example.com_example.com_20200926T222019Z.org	2020-09-26 22:20:19.369097326 +0200
+++ nsupdate_ns1.example.com_example.com_20200926T222019Z.new	2020-09-26 22:20:33.768947883 +0200
@@ -49,7 +49,7 @@
 ;; Create new records
 ;; Feel free to add/modify records here
 update add                  example.com.   900  IN  TXT   "v=spf1 +mx -all"
-update add                  example.com.   900  IN  TXT   "Hello Nerds, how are you going?"
+update add                  example.com.   900  IN  TXT   "Hello Nerds, how are you going? :-)"
 update add                  example.com.  3600  IN  MX    10 example.com.
 update add                  example.com.  3600  IN  AAAA  ::1
 update add                  example.com.  3600  IN  A     127.0.0.1

If the diff is approved with hitting ENTER, the script will use the diff to generate a nsupdate batch file and send it to the nameserver.

The diff and the generated nsupdate batch file are saved as text files in the current working directory.

Filesystem error on partial zones.

Hi mate,

After having FreeIPA drop all my DNSSEC keys, I rolled a new master DNS server using bind for DNS - and found this tool just brilliant compared to having to edit the bind files directly. Using AFXR and nsupdate is a perfect way to do this.

I did find a problem with classless delegations - where there is a / in the zone name. It seems to treat it as a file delimiter for saving the temporary files.

An example of the zone file configuration in named.conf is:

zone "16/28.99.172.202.in-addr.arpa." in {
	type		master;
	file		"master/99.172.202.in-addr.arpa";
};

This is for delegation of a /28 worth of IP space from my ISPs DNS server.

The error message shown is:

Traceback (most recent call last):
  File "/root/nsupdate-interactive/src/nsupdate-interactive.py", line 192, in <module>
    main()
  File "/root/nsupdate-interactive/src/nsupdate-interactive.py", line 125, in main
    formatter.save(filename.format(version), records)
  File "/root/nsupdate-interactive/src/zoneutils/zonefileformatter.py", line 59, in save
    with open(file, 'w+') as f:
FileNotFoundError: [Errno 2] No such file or directory: 'nsupdate_127.0.0.1_16/28.99.172.202.in-addr.arpa._20220510T181137Z.org.db'

Looks like it might need some sanity checking on the filenames before a save - maybe substituting the / for a different character only for the file being saved to disk?

perryflynn / nsupdate-interactive Goto Github PK

nsupdate-interactive's Introduction

Interactive nsupdate

Requirements

Install packages on Ubuntu

named-checkzone was not found but package is installed

Parameters

Multiple HMAC Keys

How it work

nsupdate-interactive's People

Contributors

Stargazers

Watchers

Forkers

nsupdate-interactive's Issues

Recommend Projects

Recommend Topics

Recommend Org

`named-checkzone` was not found but package is installed