1

I have an ISC BIND9 server (primary, standalone) and it's updated from ISC-DHCP on the same system. And everything seems to be working well with one exception:

I would like to maintain static records via files separate from the zone files using

$INCLUDE <filepath> [<origin>] ;comment

but BIND simply imports the records and removes the $INCLUDE statement. Is there a way to prevent this behavior?

UPDATE:

Per @Hakan's answer/comments, it appears so long as I am using DDNS updating from DHCP, any $INCLUDE statement is going to be processed and removed from the zone file.

Frobozz
  • 163
  • 8
  • Interesting question, but I suspect you will always have trouble when a given zone is both supposed to be edited manually (/use specific manual features) and dynamically by updates. Probably impossible late in the game, but it will always be simpler if the dynamic part can reside in its own separate zonefile, like with a subdomain of `.dyn.` or similar. – Patrick Mevzek Sep 05 '22 at 17:04
  • I can't see much point to the $INCLUDE if that is true... – Frobozz Sep 05 '22 at 17:11
  • @Frobozz Indeed, in the specific case where the zone has dynamic updates enabled, there is no point to any "formatting" of the zone file, including special directives such as `$INCLUDE`. – Håkan Lindqvist Sep 05 '22 at 17:16
  • $INCLUDE has a point... in a zone YOU (as human) manage, and not bind itself dynamically. See Håkan reply that just goes deeper on that point. – Patrick Mevzek Sep 05 '22 at 17:16
  • @Hakan, can you site a reference? I can't see much point to $INCLUDE except in a DDNS zone. If a zone file is only manually maintained, I see no advantage to spreading it across multiple included files? – Frobozz Sep 05 '22 at 17:55
  • @Frobozz For the premise presented in your comment, `$INCLUDE` (defined in [rfc1035](https://datatracker.ietf.org/doc/html/rfc1035.html#section-5.1) from 1987) predates dynamic updates (defined in [rfc2136](https://datatracker.ietf.org/doc/html/rfc2136) from 1997), so it's clearly not the case that `$INCLUDE` was designed for dynamic updates. As for BIND specifically, the overall handling is at least alluded to in a note in the [dynamic updates config section](https://bind9.readthedocs.io/en/latest/reference.html#dynamic-update-policies) that formatting is lost with dynamic updates – Håkan Lindqvist Sep 05 '22 at 19:15
  • @Frobozz I do not know if there is any BIND documentation that covers the interaction with eg `$INCLUDE` specifically, but with BIND rewriting the zone file based on the current contents that is the effect. There is also the conflict of "what if you update something that is in the include file?", but there is probably some theoretical approach that could have allowed for `$INCLUDE` to work in this scenario (some means of encoding that part of the include file contents have been cancelled out by updates?), but that is not something that BIND implements. – Håkan Lindqvist Sep 05 '22 at 19:24

1 Answers1

1

Very short answer: no.

But more importantly, the situation is not limited to $INCLUDE but rather that the use of dynamic updates means that BIND manages the zone file contents entirely from then on, it will rewrite the file as needed to reflect the current contents (as you noticed) and if you were to just edit the zone file that will break things.

Ie, with dynamic updates enabled, all changes to the zone are expected to happen through dynamic updates and the zone file is for BIND's use only.

Either split these use-cases into different zones, such that one is edited by hand (and can use $INCLUDE) and the other is updated via dynamic updates, or switch entirely to dynamic updates based tooling (eg nsvi) for all zone management (that will not fix your original $INCLUDE problem, but it will let you manage the zone contents in general).

As a one-off means of manually editing a dynamic zone, there is also rndc freeze / rndc thaw, but that has the downside that it refuses dynamic updates while the zone is frozen.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90