CR-2026-03-04: VyOS BIND DNS Records

Change Summary

CR ID

CR-2026-03-04-001

Date

2026-03-04

Priority

P1

Type

DNS Record Addition

Systems

bind-01 (primary), bind-02 (secondary)

Status

Completed

Objective

Add vyos-01 (10.50.1.2) and vyos-02 (10.50.1.3) DNS records to BIND forward and reverse zones. Prerequisite for VyOS HA deployment.

Records Added

Type Name Value

A

vyos-01

10.50.1.2

A

vyos-02

10.50.1.3

PTR

2.1.50.10.in-addr.arpa

vyos-01.inside.domusdigitalis.dev.

PTR

3.1.50.10.in-addr.arpa

vyos-02.inside.domusdigitalis.dev.

Implementation

Phase 1: Pre-Validation

# Verify BIND accessibility
ssh bind-01 "systemctl is-active named && echo 'BIND OK'"

# Confirm records don't exist yet
dig +short vyos-01.inside.domusdigitalis.dev @10.50.1.90
dig +short vyos-02.inside.domusdigitalis.dev @10.50.1.90
# Expected: (empty)

# Capture current SOA serials
ssh bind-01 "sudo awk '/Serial/ {print \"Forward:\", \$1}' /var/named/inside.domusdigitalis.dev.zone"
ssh bind-01 "sudo awk '/Serial/ {print \"Reverse:\", \$1}' /var/named/10.50.1.rev"

Phase 2: Backup Zone Files

ssh bind-01

TIMESTAMP=$(date +%Y%m%d-%H%M%S)
sudo cp /var/named/inside.domusdigitalis.dev.zone /var/named/inside.domusdigitalis.dev.zone.bak.$TIMESTAMP
sudo cp /var/named/10.50.1.rev /var/named/10.50.1.rev.bak.$TIMESTAMP

ls -la /var/named/*.bak.*

Phase 3: Add Forward Zone A Records

# Find insertion point (before Identity Services section)
INSERT_LINE=$(sudo awk '/^; Identity Services/ {print NR; exit}' /var/named/inside.domusdigitalis.dev.zone)
echo "Insert BEFORE line: $INSERT_LINE"

# Verify context
sudo awk -v line=$INSERT_LINE 'NR>=line-5 && NR<line' /var/named/inside.domusdigitalis.dev.zone

# Increment SOA serial
sudo sed -i 's/2026030102/2026030401/' /var/named/inside.domusdigitalis.dev.zone

# Insert A records
sudo sed -i "${INSERT_LINE}i\\
; VyOS Routers (.2-.3)\\
vyos-01         IN  A       10.50.1.2\\
vyos-02         IN  A       10.50.1.3\\
" /var/named/inside.domusdigitalis.dev.zone

# Validate zone
sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone

# Reload zone
sudo rndc reload inside.domusdigitalis.dev

# Verify
dig +short vyos-01.inside.domusdigitalis.dev @127.0.0.1
dig +short vyos-02.inside.domusdigitalis.dev @127.0.0.1

Phase 4: Add Reverse Zone PTR Records

# Find insertion point
REV_INSERT_LINE=$(sudo awk '/^; Identity Services/ {print NR; exit}' /var/named/10.50.1.rev)

# Increment SOA serial
sudo sed -i 's/2026022401/2026030401/' /var/named/10.50.1.rev

# Insert PTR records
sudo sed -i "${REV_INSERT_LINE}i\\
; VyOS Routers\\
2       IN  PTR     vyos-01.inside.domusdigitalis.dev.\\
3       IN  PTR     vyos-02.inside.domusdigitalis.dev.\\
" /var/named/10.50.1.rev

# Validate
sudo named-checkzone 1.50.10.in-addr.arpa /var/named/10.50.1.rev

# Reload
sudo rndc reload 1.50.10.in-addr.arpa

# Verify
dig +short -x 10.50.1.2 @127.0.0.1
dig +short -x 10.50.1.3 @127.0.0.1

Phase 5: Post-Validation

exit  # Exit bind-01

# Forward lookups via BIND
dig +short vyos-01.inside.domusdigitalis.dev @10.50.1.90
dig +short vyos-02.inside.domusdigitalis.dev @10.50.1.90

# Reverse lookups via BIND
dig +short -x 10.50.1.2 @10.50.1.90
dig +short -x 10.50.1.3 @10.50.1.90

# Verify AXFR to bind-02
dig +short vyos-01.inside.domusdigitalis.dev @10.50.1.91
dig +short vyos-02.inside.domusdigitalis.dev @10.50.1.91

CLI Mastery: BIND Zone Management

SOA Serial Patterns

# Get current serial with dig + awk
CURRENT_SERIAL=$(dig @10.50.1.90 inside.domusdigitalis.dev SOA +short | awk '{print $3}')
echo "Current: $CURRENT_SERIAL"

# Serial format: YYYYMMDDNN (increment NN for same-day changes)
NEW_SERIAL=$(date +%Y%m%d)01
echo "New: $NEW_SERIAL"

# sed to update serial (in-place)
sudo sed -i "s/${CURRENT_SERIAL}/${NEW_SERIAL}/" /var/named/inside.domusdigitalis.dev.zone

Zone Validation

# Always validate BEFORE reload
sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone
sudo named-checkzone 1.50.10.in-addr.arpa /var/named/10.50.1.rev

# Check BIND config
sudo named-checkconf /etc/named.conf

Zone Reload

# Reload specific zone
sudo rndc reload inside.domusdigitalis.dev
sudo rndc reload 1.50.10.in-addr.arpa

# Force AXFR to secondary
sudo rndc retransfer inside.domusdigitalis.dev

# Reload all zones
sudo rndc reload

sed for Zone Editing

# Insert lines BEFORE a pattern
sudo sed -i '/^; Identity Services/i\
; New Section\
record1         IN  A       10.50.1.100\
' /var/named/zone.file

# Insert at specific line number
sudo sed -i '${INSERT_LINE}i\
newline content here\
' /var/named/zone.file

# Replace serial (direct)
sudo sed -i 's/2026030102/2026030401/' /var/named/zone.file

awk for Line Detection

# Find line number of pattern
awk '/^; Identity Services/ {print NR; exit}' /var/named/zone.file

# Print lines in range (for verification)
awk -v line=$INSERT_LINE 'NR>=line-5 && NR<line' /var/named/zone.file

# Extract serial from zone file
awk '/Serial/ {print $1}' /var/named/zone.file

Rollback Procedure

ssh bind-01

# List backups
ls -la /var/named/*.bak.*

# Restore (replace TIMESTAMP)
TIMESTAMP=20260304-141500
sudo cp /var/named/inside.domusdigitalis.dev.zone.bak.$TIMESTAMP /var/named/inside.domusdigitalis.dev.zone
sudo cp /var/named/10.50.1.rev.bak.$TIMESTAMP /var/named/10.50.1.rev

# Reload
sudo rndc reload

# Verify records removed
dig CISCO-CAPWAP-CONTROLLER.inside.domusdigitalis.dev @10.50.1.90
# Expected: NXDOMAIN

Key Lessons

Lesson Detail

Always backup first

Zone file backups with timestamps enable quick rollback

Validate before reload

named-checkzone catches syntax errors before production impact

Serial increment is critical

Forgot serial = no AXFR to secondary = split-brain DNS

sed/awk for zone editing

More repeatable than manual vim editing

Related Documentation