CR-2026-03-04 - VyOS BIND DNS Records

Add vyos-01 (10.50.1.2) and vyos-02 (10.50.1.3) DNS records to BIND forward and reverse zones. Prerequisite for VyOS deployment.

CR ID	CR-2026-03-04-001
Status	Pending
Priority	P1
Requester	evanusmodestus
Date	2026-03-04

Executive Summary

Item	Value
Change Type	DNS Record Addition
Target Systems	bind-01.inside.domusdigitalis.dev (BIND Primary DNS)
Records to Add	2 A records + 2 PTR records
Related Runbook	Add New Host Checklist
Master Project	VyOS Migration

Item

Value

Change Type

DNS Record Addition

Target Systems

bind-01.inside.domusdigitalis.dev (BIND Primary DNS)

Records to Add

2 A records + 2 PTR records

Related Runbook

Add New Host Checklist

Master Project

VyOS Migration

Records to Add

Type	Name	Value
A	vyos-01	10.50.1.2
A	vyos-02	10.50.1.3
PTR	2.1.50.10.in-addr.arpa	vyos-01.inside.domusdigitalis.dev.
PTR	3.1.50.10.in-addr.arpa	vyos-02.inside.domusdigitalis.dev.

Type

Name

Value

vyos-01

10.50.1.2

vyos-02

10.50.1.3

PTR

2.1.50.10.in-addr.arpa

vyos-01.inside.domusdigitalis.dev.

PTR

3.1.50.10.in-addr.arpa

vyos-02.inside.domusdigitalis.dev.

Phase 0: pfSense DNS Overrides

pfSense host overrides provide immediate resolution. Add BEFORE BIND changes.

0.1 Add/Verify pfSense Host Overrides

dsource d000 dev/network

netapi pfsense dns list | grep -i vyos

If records don’t exist, add them:

netapi pfsense dns add -h vyos-01 -d inside.domusdigitalis.dev -i 10.50.1.2 --descr "VyOS HA Master"
netapi pfsense dns add -h vyos-02 -d inside.domusdigitalis.dev -i 10.50.1.3 --descr "VyOS HA Secondary"

If records exist with WRONG IPs, update them:

netapi pfsense dns update --id <ID> -h vyos-01 -d inside.domusdigitalis.dev -i 10.50.1.2
netapi pfsense dns update --id <ID> -h vyos-02 -d inside.domusdigitalis.dev -i 10.50.1.3

Phase 1: Pre-Validation

1.1 Verify BIND Accessibility

ssh bind-01.inside.domusdigitalis.dev "systemctl is-active named && echo 'BIND OK'"

Expected Output

active
BIND OK

1.2 Verify Records Do NOT Exist

dig +short vyos-01.inside.domusdigitalis.dev @10.50.1.90

Expected Output

(empty - no record exists)

dig +short vyos-02.inside.domusdigitalis.dev @10.50.1.90

Expected Output

(empty - no record exists)

1.3 Capture Current SOA Serials

ssh bind-01.inside.domusdigitalis.dev "sudo awk '/Serial/ {print \"Forward:\", \$1}' /var/named/inside.domusdigitalis.dev.zone"

Record Current Serial

Forward: _____________ (e.g., 2026030102)

ssh bind-01.inside.domusdigitalis.dev "sudo awk '/Serial/ {print \"Reverse:\", \$1}' /var/named/10.50.1.rev"

Record Current Serial

Reverse: _____________ (e.g., 2026022401)

Phase 2: Backup Zone Files

ssh bind-01.inside.domusdigitalis.dev

TIMESTAMP=$(date +%Y%m%d-%H%M%S)
sudo cp /var/named/inside.domusdigitalis.dev.zone /var/named/inside.domusdigitalis.dev.zone.bak.$TIMESTAMP
sudo cp /var/named/10.50.1.rev /var/named/10.50.1.rev.bak.$TIMESTAMP

Verify Backups Created

ls -la /var/named/*.bak.*

Phase 3: Add Forward Zone A Records

3.1 Find Insertion Point

INSERT_LINE=$(sudo awk '/^; Identity Services/ {print NR; exit}' /var/named/inside.domusdigitalis.dev.zone)
echo "Insert BEFORE line: $INSERT_LINE"

Verify Context (5 lines before insertion point)

sudo awk -v line=$INSERT_LINE 'NR>=line-5 && NR<line' /var/named/inside.domusdigitalis.dev.zone

3.2 Increment SOA Serial

# Check current serial
sudo awk '/Serial/ {print $1}' /var/named/{domain}.zone

# Increment serial (2026030102 → 2026030401)
sudo sed -i 's/2026030102/2026030401/' /var/named/inside.domusdigitalis.dev.zone

Verify Serial Updated

sudo awk '/Serial/ {print $1}' /var/named/inside.domusdigitalis.dev.zone

3.3 Insert A Records

sudo sed -i "${INSERT_LINE}i\\
; VyOS Routers (.2-.3)\\
vyos-01         IN  A       10.50.1.2\\
vyos-02         IN  A       10.50.1.3\\
" /var/named/inside.domusdigitalis.dev.zone

Verify Records Inserted

sudo awk '/vyos-0[12]/' /var/named/inside.domusdigitalis.dev.zone

Expected Output

vyos-01         IN  A       10.50.1.2
vyos-02         IN  A       10.50.1.3

3.4 Validate Forward Zone

sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone

Expected Output

zone inside.domusdigitalis.dev/IN: loaded serial 2026030401
OK

3.5 Reload Forward Zone

sudo rndc reload inside.domusdigitalis.dev

Expected Output

zone reload up-to-date

3.6 Verify Forward Records

dig +short vyos-01.inside.domusdigitalis.dev @127.0.0.1

Expected Output

10.50.1.2

dig +short vyos-02.inside.domusdigitalis.dev @127.0.0.1

Expected Output

10.50.1.3

Phase 4: Add Reverse Zone PTR Records

4.1 Find Insertion Point

REV_INSERT_LINE=$(sudo awk '/^; Identity Services/ {print NR; exit}' /var/named/10.50.1.rev)
echo "Insert BEFORE line: $REV_INSERT_LINE"

Verify Context (5 lines before insertion point)

sudo awk -v line=$REV_INSERT_LINE 'NR>=line-5 && NR<line' /var/named/10.50.1.rev

4.2 Increment SOA Serial

# Check current serial
sudo awk '/Serial/ {print $1}' /var/named/10.50.1.rev

# Increment serial (2026022401 → 2026030401)
sudo sed -i 's/2026022401/2026030401/' /var/named/10.50.1.rev

Verify Serial Updated

sudo awk '/Serial/ {print $1}' /var/named/10.50.1.rev

4.3 Insert PTR Records

sudo sed -i "${REV_INSERT_LINE}i\\
; VyOS Routers\\
2       IN  PTR     vyos-01.inside.domusdigitalis.dev.\\
3       IN  PTR     vyos-02.inside.domusdigitalis.dev.\\
" /var/named/10.50.1.rev

Verify Records Inserted

sudo awk '/vyos-0[12]/' /var/named/10.50.1.rev

Expected Output

2       IN  PTR     vyos-01.inside.domusdigitalis.dev.
3       IN  PTR     vyos-02.inside.domusdigitalis.dev.

4.4 Validate Reverse Zone

sudo named-checkzone 1.50.10.in-addr.arpa /var/named/10.50.1.rev

Expected Output

zone 1.50.10.in-addr.arpa/IN: loaded serial 2026030401
OK

4.5 Reload Reverse Zone

sudo rndc reload 1.50.10.in-addr.arpa

Expected Output

zone reload up-to-date

4.6 Verify PTR Records

dig +short -x 10.50.1.2 @127.0.0.1

Expected Output

vyos-01.inside.domusdigitalis.dev.

dig +short -x 10.50.1.3 @127.0.0.1

Expected Output

vyos-02.inside.domusdigitalis.dev.

Phase 5: Post-Validation (From Workstation)

Exit bind-01 and run from workstation:

exit

5.1 Forward Lookups via BIND

dig +short vyos-01.inside.domusdigitalis.dev @10.50.1.90
dig +short vyos-02.inside.domusdigitalis.dev @10.50.1.90

Expected Output

10.50.1.2
10.50.1.3

5.2 Reverse Lookups via BIND

dig +short -x 10.50.1.2 @10.50.1.90
dig +short -x 10.50.1.3 @10.50.1.90

Expected Output

vyos-01.inside.domusdigitalis.dev.
vyos-02.inside.domusdigitalis.dev.

5.3 Forward Lookups via pfSense (Client Perspective)

dig +short vyos-01.inside.domusdigitalis.dev
dig +short vyos-02.inside.domusdigitalis.dev

Expected Output

10.50.1.2
10.50.1.3

Completion Checklist

Step	Description	Status
1.1	BIND accessible	[ ]
1.2	Records confirmed NOT existing	[ ]
1.3	SOA serials captured	[ ]
2	Zone files backed up	[ ]
3.1	Forward insertion point found (INSERT_LINE set)	[ ]
3.2	Forward SOA serial incremented (sed)	[ ]
3.3	Forward A records inserted (sed)	[ ]
3.4	Forward zone validated (named-checkzone)	[ ]
3.5	Forward zone reloaded (rndc reload)	[ ]
3.6	Forward records verified (dig @127.0.0.1)	[ ]
4.1	Reverse insertion point found (REV_INSERT_LINE set)	[ ]
4.2	Reverse SOA serial incremented (sed)	[ ]
4.3	Reverse PTR records inserted (sed)	[ ]
4.4	Reverse zone validated (named-checkzone)	[ ]
4.5	Reverse zone reloaded (rndc reload)	[ ]
4.6	PTR records verified (dig @127.0.0.1)	[ ]
5.1	Forward lookups via BIND (@10.50.1.90)	[ ]
5.2	Reverse lookups via BIND (@10.50.1.90)	[ ]
5.3	Lookups via pfSense (client perspective)	[ ]

Step

Description

Status

1.1

BIND accessible

[ ]

1.2

Records confirmed NOT existing

[ ]

1.3

SOA serials captured

[ ]

Zone files backed up

[ ]

3.1

Forward insertion point found (INSERT_LINE set)

[ ]

3.2

Forward SOA serial incremented (sed)

[ ]

3.3

Forward A records inserted (sed)

[ ]

3.4

Forward zone validated (named-checkzone)

[ ]

3.5

Forward zone reloaded (rndc reload)

[ ]

3.6

Forward records verified (dig @127.0.0.1)

[ ]

4.1

Reverse insertion point found (REV_INSERT_LINE set)

[ ]

4.2

Reverse SOA serial incremented (sed)

[ ]

4.3

Reverse PTR records inserted (sed)

[ ]

4.4

Reverse zone validated (named-checkzone)

[ ]

4.5

Reverse zone reloaded (rndc reload)

[ ]

4.6

PTR records verified (dig @127.0.0.1)

[ ]

5.1

Forward lookups via BIND (@10.50.1.90)

[ ]

5.2

Reverse lookups via BIND (@10.50.1.90)

[ ]

5.3

Lookups via pfSense (client perspective)

[ ]

Rollback Procedure

If issues occur, restore from backup:

ssh bind-01.inside.domusdigitalis.dev

# List backups
ls -la /var/named/*.bak.*

# Restore (replace TIMESTAMP)
sudo cp /var/named/inside.domusdigitalis.dev.zone.bak.TIMESTAMP /var/named/inside.domusdigitalis.dev.zone
sudo cp /var/named/10.50.1.rev.bak.TIMESTAMP /var/named/10.50.1.rev

# Reload
sudo rndc reload

CR-2026-03-04 - VyOS BIND DNS Records

Executive Summary

Records to Add

Phase 0: pfSense DNS Overrides

0.1 Add/Verify pfSense Host Overrides

Phase 1: Pre-Validation

1.1 Verify BIND Accessibility

1.2 Verify Records Do NOT Exist

1.3 Capture Current SOA Serials

Phase 2: Backup Zone Files

Phase 3: Add Forward Zone A Records

3.1 Find Insertion Point

3.2 Increment SOA Serial

3.3 Insert A Records

3.4 Validate Forward Zone

3.5 Reload Forward Zone

3.6 Verify Forward Records

Phase 4: Add Reverse Zone PTR Records

4.1 Find Insertion Point

4.2 Increment SOA Serial

4.3 Insert PTR Records

4.4 Validate Reverse Zone

4.5 Reload Reverse Zone

4.6 Verify PTR Records

Phase 5: Post-Validation (From Workstation)

5.1 Forward Lookups via BIND

5.2 Reverse Lookups via BIND

5.3 Forward Lookups via pfSense (Client Perspective)

Completion Checklist

Rollback Procedure

Related Documentation