nsupdate not updating Apex record

Question

nsupdate is only working for cnames. It seems the apex (A record for the root domain) is not updating. I have been able to add to the zone file by using "update add . 604800 A 1.1.1.1" but it puts it in the "$ORIGIN ." section of the zone file and I am unable to delete and update it. I have tried "update add . 604800 A 2.2.2.2" but no update happens. I also tried "update add example.com. 604800 A 2.2.2.2". I have placed a place holder record in the "$ORIGIN ." and the "$ORIGIN example.com." section of the zone file thinking it needs to find it to update it. I have tried deleting it and updating it also... nothing seems to work. I read somewhere that bind cant write to /etc/bind/zones so I put the zone file in /var/lib/bind. Bind has written to the file, but only once to put in a record in the "$ORIGIN ." section. Any advice?

My Zone file:

$ORIGIN .
$TTL 604800 ; 1 week
example.com.        IN SOA  ns1.example.com. admin.ns1.example.com. (
                24         ; serial
                604800     ; refresh (1 week)
                86400      ; retry (1 day)
                2419200    ; expire (4 weeks)
                604800     ; minimum (1 week)
                )
            NS  ns1.example.com.
            NS  ns2.example.com.
$ORIGIN example.com
@           A   5.5.5.5
ds1512      A   10.0.0.13
ds1817      A   10.0.0.14
home        CNAME   ds1817
ns1         A   10.0.0.6
ns2         A   10.0.0.3
roma        CNAME   ds1817
www         CNAME   example.com.

My commands with debug output:

brent@dnsdhcpserver:/var/lib/bind$ sudo nsupdate -d
> server 10.0.0.6
> zone example.com
> update delete @ A
> update add @ 604800 A 2.2.2.2
> send
Sending update to 10.0.0.6#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  25996
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 0
;; ZONE SECTION:
;example.com.       IN  SOA

;; UPDATE SECTION:
.           0   ANY A
.           604800  IN  A   172.16.1.10


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTZONE, id:  25996
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;example.com.       IN  SOA

That didn't work so I tried:

> server 10.0.0.6
> prereq nxdomain example.com
> update add example.com. 604800 A 2.2.2.2
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  47462
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;example.com.       IN  SOA

;; ANSWER SECTION:
example.com.    604800  IN  SOA ns1.example.com. admin.ns1.example.com. 24 604800 86400 2419200 604800

;; AUTHORITY SECTION:
example.com.    604800  IN  NS  ns2.example.com.
example.com.    604800  IN  NS  ns1.example.com.

;; ADDITIONAL SECTION:
ns1.example.com.    604800  IN  A   10.0.0.6
ns2.example.com.    604800  IN  A   10.0.0.3

Found zone name: example.com
The master is: ns1.example.com
Sending update to 10.0.0.6#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   8484
;; flags:; ZONE: 1, PREREQ: 1, UPDATE: 1, ADDITIONAL: 0
;; PREREQUISITE SECTION:
example.com.    0   NONE    ANY

;; UPDATE SECTION:
example.com.    604800  IN  A   172.16.1.11


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: YXDOMAIN, id:   8484
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;example.com.       IN  SOA

Can anyone see what I am missing?

"Any advice?" What do your logfiles say? In first case you have "NOTZONE" in output, that shows the names you use are not correct. Second case you say "prereq nxdomain example.com" which obviously will never be true, because if `example.com` does not exist, it means the zone does not exist and hence you can not add any records in it. — Patrick Mevzek, Oct 20 '21 at 19:57
The zone does exist because the DNS server is resolving the domain to the correct private IPs. But getting NOTZONE obviously means there is an issue, I just don't know what. I'd be happy to find a log file for nsupdate. Where would that log file be located? — Brént Russęll, Oct 21 '21 at 01:51
bind logfiles, not `nsupdate` ones. Logfiles are set up in your bind configuration. — Patrick Mevzek, Oct 21 '21 at 04:50
"The zone does exist because the DNS server is resolving the domain to the correct private IPs." — no, this is not entirely true. The zone "example.com" might have records like "a.b.example.com", in which case such a record will be successfully resolved despite the fact there is no zone "b.example.com". By the way, can you show us the DNS server configuration, at least the part where this zone is set up? Does it update other records this way? Also, do you use split DNS (views)? — Nikita Kipriyanov, Oct 21 '21 at 06:22

Nikita Kipriyanov · Answer 1 · 2021-10-21T08:51:00.857

Don't add the trailing dot to the RR name. Use it like this:

server my.dns.server
zone example.com
key example.com some-key-data
update delete example.com 604800 A
update add example.com 604800 A 192.0.2.1
send

I just tested it with A and MX record; it worked for me, the server is PowerDNS, the client is ISC nsupdate from bind-tools, authentication was via TSIG, the key name equals the zone name for simplicity.

I've got an impression you don't fully understand how $ORIGIN and @ work, so here is a little explanation. For the complete explanation see RFC1035.

On the wire these never appear. It's just a convience "syntax sugar" shortening your typing and reading of zone files. The following three examples define identical zones (I am lazy to complete SOA records, their exact values don't matter for our subject):

$ORIGIN example.com.
@ 604800 IN SOA ns1 ....
  604800 IN NS  ns1
ns1 3600 IN A 192.0.2.1
@ 3600 IN A 192.0.2.5

$ORIGIN .
example.com 604800 IN SOA ns1.example.com ....
$ORIGIN com.
example 604800 IN NS ns1.example
$ORIGIN ns1.example.com.
@ 3600 IN A 192.0.2.1
example.com. 3600 IN A 192.0.2.5

example.com. 604800 IN SOA ns1.example.com. ....
example.com. 604800 IN NS  ns1.example.com.
ns1.example.com. 3600 IN A 192.0.2.1
example.com. 3600 IN A 192.0.2.5

In the first example I didn't specify any RR name in the third line (NS RR after SOA RR), so parser will take it from the previous line. This behaviour is the precise reason for @ syntax existence: you can't leave the RR name field empty, as it will take the previous record name. If I skipped the @ at the last record, I'd define a second A record for ns1. So to define a record with the name equals to currently set origin (it'll be "apex" if the origin set to zone name) you can't use "empty name", because it will invoke this "take previous" behaviour. You either have to spell the full record name explicitly with the trailing dot so it won't append an origin (like it is written in other examples), change the origin, or use a special symbol @ which tells the parser: "don't repeat the previous name, here comes the origin naked", so the last line in the first example defines example.com..

The second example is just fancy demonstration how $ORIGIN and @ work together.

The third example doesn't use any sugar. This is real absolute data the zone holds in each of those three examples.

So, your record could be represented in the zone file as example.com after $ORIGIN ., or example.com. anywhere, or @ after $ORIGIN example.com., or even example after $ORIGIN com., it doesn't matter. These cases are all equal. Probably you are expecting to see "@" variant, but BIND may decide to spell it as any of those variants, so be prepared to recognize them all. And you can't force it to use any particular variant, sorry.

Another caveat could be you reading the zone file after update without first freezing it. Notice the "jnl" file next to the zone file; it is the journal where your updated data first stored. Only when you do the rndc freeze example.com the data is written into the zone file (but the zone is then locked for updates, to unlock you need to do the thaw operation or reload the server). The proper way to check if zone is updated or not is to do the actual DNS query, with dig or host or nslookup, whichever you like:

host -v example.com

This is spelled out in documentation, it has this example: `update add newhost.example.com 86400 A 172.16.1.1`. However it also depends if you used the `zone` pragma before or not. — Patrick Mevzek, Oct 20 '21 at 19:58
Yes, I have zone pragma before, and I have a TSIG key. (I reflected it in the answer, added my complete `nsupdate` script which works.) Also note: there is *no* trailing dot in the RR name in your example, exactly as I suggest. I think this dot is the root of the problem of the O.P. — Nikita Kipriyanov, Oct 20 '21 at 20:07
This is local DNS, the only IP updating it the dns server itself. I don't know what a TSIG key is but I assume it is for auth, I am not using it in any way. I took off the dot and I still don't get updates: server 10.0.0.6 zone example.com update delete example.com 604800 A update add example.com 604800 A 192.0.2.1 send I did get it to remove the "@ A 5.5.5.5" record in the $ORIGIN example.com and it inserted a new record in the "$ORIGIN ." of the zone file. But it will not delete the new record nor will it update it. — Brént Russęll, Oct 20 '21 at 20:29
This will not update the record either, individually sending or all at once: server 10.0.0.6 zone example.com update add example.com 604800 A 192.0.2.3 update add example.com. 604800 A 192.0.2.3 update add @ 604800 A 192.0.2.3 update add . 604800 A 192.0.2.3 send To be clear, the record is in the "$ORIGIN ." part of the zone file as " A 5.5.5.5". There is no @ symbol or period on the left side of the record. Would love other ideas of what to try. — Brént Russęll, Oct 20 '21 at 20:55
Never use the symbol "@" in `nsupdate`. It is not intented to be used inside DNS query, the only defined use for it is the convience placeholder in BIND zone file, to not to reassign the $ORIGIN back and forth. https://datatracker.ietf.org/doc/html/rfc1035#section-5.1 You can define a zone completely without it, just like you defined a SOA record. Also note, the "apex" record whose name coincides with the zone name is just ordinary record in the zone, nothing special here, except this coincidence. (I've got a strong impression you don't fully understand what is @.) — Nikita Kipriyanov, Oct 21 '21 at 06:27

nsupdate not updating Apex record

1 Answers1