cgi script for managing DNS

This cgi script uses zone transfers and secure dynamic updates to manage DNS zones.
I wrote this when I needed to manage my home DNS and I got tired of remembering the nsupdate syntax ;)
The script has a couple of benefits:

Once you start using dynamic updates, the zone transfers to secondaries will be incremental (much faster)
Because the server is maintining the zone, its impossible to add syntactically incorrect entries into the zone.

The script (actually, not the script, but dynamic updates) have a couple of nasty side-effects too:

Once you start using dynamic updates, you can no longer edit the zone file directly.
You can't even look at zone file to check the zone contents - since there is a .jnl file that modifies the contents of the zone in memory.

Download the script here and name it dns.cgi

Download parse.sh here

How to set it up

download the cgi script and parse.sh and put them in your cgi-bin directory
make sure it is executable by the user that owns the web server process
edit the dns.cgi script and change the ZONES entry to reflect the zones you wish to manage
follow the instructions in bind.html to generate the DNS dynamic update keys.
- Note that the key file names may need to be modified depending on the version of nsupdate that you are using. For example, using the stock sun version of nsupdate (bind 8), the key file is Kdynupdates+157+00000.key while the bind 9 version of nsupdate uses a key file of dynupdates.key.
- In addition, if you are using a Bind 9 nameserver, then you MUST use the Bind 9 version of nsupdate.
create the dnskeys sub-directory under the cgi-bin directory, and place the keys there. Make sure they are readable only by the user who owns the web server process.
- NOTE: if you don't use "dynupdates" as the key name, then you will have to change the name of the key in the dns.cgi script

update the named.conf to allow dynamic updates for those zones that you listed at the top of the dns.cgi script. I added the following:

key dynupdates. {
        algorithm hmac-md5;
        secret "RDenOA2X5il9navb5IdjAYijEjfI8fUgTrUbs6mag5Y=";
};

....... snip .....

zone "unixpeople.internal" {
        type master;
        file "db.unixpeople";
        allow-update {key dynupdates;};
};
....... snip .....

I also copied the keys to my /var/named directory
restart named and check for errors in /var/adm/messages, or /var/log/messages
Verify that your web server can execute cgi programs

Suggestions

you should definitely ensure that users must authenticate before running this cgi script
you should probably run this on an SSL-based web site

Thanks!

Thanks to Tim Wilfong for supplying a patch to cause zone transfer requests to be sent to the server specified in the SOA RR rather than to the default DNS server for the server where the CGI is running.