In this example we would like to delagate

    First add glue record in domain main file configuration.


                                  NS	IN	A	IN	A

    After you could add a separate file about delegate subdomain.


    $TTL 3h
    @       IN      SOA (
                                    1D )
    ; NS for dokuwiki :
    @	IN	NS
    @	IN	NS
    ns		IN	A
    ns2		IN	A	IN	A
    memorandum	IN	CNAME
    cultivation	IN	CNAME
    network	        IN	CNAME


    zone "" {
            type master;
            file "/etc/bind/";

    Setup DDNS


    Example to update ipv4 and ipv6 of a subdomain.


    require: bind9utils package

    Dynamic DNS, first create a key.

    dnssec-keygen -a HMAC-SHA512 -b 512 -r /dev/urandom -n HOST


    • will be part of the filenames (.private and .key)
    • I tried to use more complex algorithms (based on private/public key), but it's overkill time/security just to update an ip on a subdomain.


    key {
           algorithm HMAC-SHA512;
           secret "KEY_VALUE";


    • replace KEY_VALUE by the everything after Key: in the generated prefixed by .private
    • keep the .private file, it will be used by the client as well as the .key
    • will the name of the key identified by bind


    include "/etc/bind/keys.conf";

    Then you have two choice, warning it can't be both.

    1. allow-update the key can update anything on the zone /etc/bind/named.conf.local:
    zone "" {
            type master;
            file "/etc/bind/domains/";
            allow-update {
    1. (preferred) update-policy the key can update only specific part of the zone /etc/bind/named.conf.local:
    zone "" {
            type master;
            file "/etc/bind/domains/";
            update-policy {
             grant name A AAAA;


    • update policy is in the form <permission> <identity> <matchtype> [tname] [rr], see details
    • in this case, identity is the name of the key

    Check the configuration

    named-checkconf && restart bind9

    In case of a manual update

    If you update zone configuration, you will need to:

    rndc freeze
    # edit your zone conf file (/etc/bind/domains/
    rndc thaw # when finished


    Ensure bind can read/write the file containing the zone (.e.g, /etc/bind/domains/ with chown and chmod for the group bind.

    In case you have Apparmor, do the following changes, if required: /etc/apparmor.d/usr.sbin.named:

    /usr/sbin/named {
      /etc/bind/** r,
      /etc/bind/domains/** rw,

    systemctl restart apparmor

    Client side

    Check it works

    Try to retrieve the TSIG part:

     dig -y TSIG

    If you have an error, check /var/log/syslog on the server.

    Update the zone

    require: dnsutils package

    Example to add/edit ip address for the subdomain


    update delete A
    update delete AAAA
    update add 600 AAAA xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
    update add 600 A

    important: ensure 2 files for identification are present: .private and .key file (else you risk to have a response update failed: REFUSED with no details)

    nsupdate -k Kkeyname.+165+0316.private -v update.txt


    • specified a file is not necessarily if you prefer to type the command interactively
    • -v force TCP instead of UDP, preferred for batch requests
    • update delete without this command, if the ip change, the older ones remain present (cause long resolution)

    Ensure the update has been done with:

    dig ANY



    See also ddns-confgen

    Check configuration

    named-checkconf -z

    Note: for more detail on a zone, you can type: named-checkzone domain.tld /etc/bind/domains/domain.tld

    Check propagation




    $TTL 3h
    @       IN      SOA (
                                    2013080101 ; serial number (YYYYMMDDxx)
                                    1D         ; refresh =  1 day
                                    15M        ; update retry = 15 minutes
                                    3W         ; expiry = 3 weeks
                                    2H         ; minimum = 2 hours
    ; NS :
    ns1             IN      A  ; glue record
    ns2             IN      A ; glue record
    @       IN      NS
    @       IN      NS
    @       IN      NS
    @       IN      A
    @       IN      A
    ; it is equivalent to
    ;  IN  A
    ;  IN  A
    ftp     IN      CNAME

    Notice :

    - @ is replace by the filename ( - You could also specify $ORIGIN (begin of file)
    - To know more about glue record ([see](softwares/server/dns/start#glue_record))
    - **Refresh Time** - The time, in seconds, a secondary DNS server waits before querying the primary DNS server's SOA record to check for changes. When the refresh time expires, the secondary DNS server requests a copy of the current SOA record from the primary. The primary DNS server complies with this request. The secondary DNS server compares the serial number of the primary DNS server's current SOA record and the serial number in it's own SOA record. If they are different, the secondary DNS server will request a zone transfer from the primary DNS server. The default value is 3,600.
    - **Retry time** - The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the retry time is less than the refresh time. The default value is 600.
    - **Expire time** - The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this time expires prior to a successful zone transfer, the secondary server will expire its zone file. This means the secondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400.
    - **Minimum TTL** - The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600.


    List subdomains locally

    cat | grep -v -E "^[\\$|*]" | grep -v -E "NS|SOA" | grep -E "^\w"