Andrew Tunnell-Jones / Log
2019-12-19

Is your HTTP DNS API as capable as DNS UPDATE (RFC 2136)?

I rarely want to do a single operation when I make changes to a zone. Generally I'll want to remove at least one RR or RRset, and add a replacement in place. If I'm doing a change across a few zones, I'll often want to make sure I'm changing what I think I'm changing. DNS UPDATE is capable of all of this in a single atomic operation. Changing mail hosts with BIND's nsupdate looks like this:

zone example.com
; require these exact RRsets to exist:
prereq yxrrset example.com MX 1 aspmx.l.google.com.
prereq yxrrset example.com MX 5 alt1.aspmx.l.google.com.
prereq yxrrset example.com MX 5 alt2.aspmx.l.google.com.
prereq yxrrset example.com MX 10 alt3.aspmx.l.google.com.
prereq yxrrset example.com MX 10 alt4.aspmx.l.google.com.
prereq yxrrset example.com TXT "v=spf1 include:_spf.google.com ~all"
; require that these names do not exist:
prereq nxdomain fm1._domainkey.example.com
prereq nxdomain fm2._domainkey.example.com
prereq nxdomain fm3._domainkey.example.com
; replace MX records
update del example.com MX
update add example.com 3600 MX 10 in1-smtp.messagingengine.com
update add example.com 3600 MX 20 in2-smtp.messagingengine.com
; replace SPF record
update del example.com 3600 TXT "v=spf1 include:_spf.google.com ~all"
update add example.com 3600 TXT "v=spf1 include:spf.messagingengine.com ?all"
; add DKIM records
update add fm1._domainkey.example.com 3600 CNAME fm1.example.com.dkim.fmhosted.com
update add fm2._domainkey.example.com 3600 CNAME fm2.example.com.dkim.fmhosted.com
update add fm3._domainkey.example.com 3600 CNAME fm3.example.com.dkim.fmhosted.com

Knot's knsupdate works the same, and for specialised situations there's libraries for most programming language. Variety in clients is one of the benefits of being built on regular DNS underpinnings. This benefits the server side too. Since the user interface is the client, only the client needs to know about the presentation format of a new RR. For servers new types are just a binary blob.

Does your HTTP DNS API allow multiple changes with prerequistes in a single transaction? Does it have multiple client programs and libraries? Is it able to handle any RR type, both today and tomorrow?